I'm no longer a neophite with certbot, having some 50-ish domains for which LetsEncrypt has provided certificates. BUT, that doesn't mean I know all that much about it, only that I've managed to get certbot to do what I need it to do. ...Until now.
A non-profit organization which my systems host (for free - hey, they're a charity!) originally chose two versions of one domain name - in case people were confused in how to spell it . No problem so far, but this of course counts as two domain names.
For each, from inception they've both had two subdomains for each domain in their one certificate, one for "mail" and one for that annoying www prefix (how the heck do we get people to STOP asking for this archaic noise?! in 1995 it may have been useful for SOME. Today?!) making six entries in the cert, including the domain's entry and mail and www subdomains for each of the two domains. For convenience, lets call these PrimaryName and SecondaryName, for the two spellings, respectively.
NOTE: The mail subdomain is important to have in the cert because it's used by the mail server!
Then, they found out their organization's name was misleading people and decided to rename it, but keep the old for those past supporters to find them still. No problem, we just added a whole new set, making NINE entries in the certificate so far. STILL there's no problem. I just kept making new certs with the -d flag.
Then, they decided that people were having trouble using email clients and wanted to use webmail, like, say gmail or hotmail or some such. So, OK, but we realized that for practical reasons, we needed to put the webmail on another pair of servers (nevermind why!) so the DNS needed to be lied to for whenever cert renewal happens. ...SURE, just more entries on the -d command! I at least THOUGHT this went well.
Note that this now means that for each domain the cert contains the domain name by itself, and with the www, mail, webmail, and webmail2 subdomains, making ten entries in the cert.
I'm not 100% sure, but I think this was all working fine until the next renewal when I forgot to switch the DNS back to the one server for cert renwal. OOPS!
OR, maybe instead it was when they also decided to drop a domain a entirely - why should a poor charity spend money on a domain name renewal when the logs show nobody's really using the alternative spelling?
This is when things broke, I think, but I never noticed until a new person complained that they couldn't get to the site at all. ...I found that their web browser didn't even bother to tell them there was an expired cert (a HEINOUS practice if ever there was one!), and so I investigated and found the expired cert, of course.
The question was why hadn't the cron - based auto-renewal worked? I presumed it was because of the DNS entries I had forgotten to move over to the one location that the cert renewals are done on. But it was more complicated than that...
In short, I switched the former Primary domain with the new Primary domain, and this included getting rid of both the former entries in the live and renewal directories. I created the new cert including all 10 entries using our Fedora Server 30 based (yeah, not quite current) system's certbot-1.3.0-1.fc30.noarch (and matching python3 packages).
However, this "working cert" only supports the still extant Primary Domain and one subdomain, www!
That it doesn't support the older domain at all AND doesn't have the mail and webmail subdomains MATTERS A LOT!
This is crazy because it should be supporting TEN entries, five for each, and I have ZERO idea why or how, or anything!
I'm a little hesitant to post the actual commands because this is for a non-profit that doesn't deserve bad entries out there in the world. However, I here's the form of the command:
certbot install -d PrimaryDomain,www.PrimaryDomain,mail.PrimaryDomain,webmail.PrimaryDomain,webmail2.PrimaryDomain,SecondaryDomain,www.SecondaryDomain,mail.SecondaryDomain, webmail.SecondaryDomain,webmail2.SecondaryDomain
Presently, the cert ONLY contains PrimaryDomain and www.PrimaryDomain. That means it's missing EIGHT entries! How could it even have created a cert with ONLY these two entries in it?!
OK, I'm LOST!
Hopefully I've just forgotten something about how to get certbot to do this correctly, but if so, it's sure not obvious what that is?!