Missing subdomains from certbot created certificate

Hi LetsEncrypters,

I'm no longer a neophite with certbot, having some 50-ish domains for which LetsEncrypt has provided certificates. BUT, that doesn't mean I know all that much about it, only that I've managed to get certbot to do what I need it to do. ...Until now.


A non-profit organization which my systems host (for free - hey, they're a charity!) originally chose two versions of one domain name - in case people were confused in how to spell it . No problem so far, but this of course counts as two domain names.

For each, from inception they've both had two subdomains for each domain in their one certificate, one for "mail" and one for that annoying www prefix (how the heck do we get people to STOP asking for this archaic noise?! in 1995 it may have been useful for SOME. Today?!) making six entries in the cert, including the domain's entry and mail and www subdomains for each of the two domains. For convenience, lets call these PrimaryName and SecondaryName, for the two spellings, respectively.

NOTE: The mail subdomain is important to have in the cert because it's used by the mail server!

Then, they found out their organization's name was misleading people and decided to rename it, but keep the old for those past supporters to find them still. No problem, we just added a whole new set, making NINE entries in the certificate so far. STILL there's no problem. I just kept making new certs with the -d flag.

Then, they decided that people were having trouble using email clients and wanted to use webmail, like, say gmail or hotmail or some such. So, OK, but we realized that for practical reasons, we needed to put the webmail on another pair of servers (nevermind why!) so the DNS needed to be lied to for whenever cert renewal happens. ...SURE, just more entries on the -d command! I at least THOUGHT this went well.

Note that this now means that for each domain the cert contains the domain name by itself, and with the www, mail, webmail, and webmail2 subdomains, making ten entries in the cert.

Problems Begin

I'm not 100% sure, but I think this was all working fine until the next renewal when I forgot to switch the DNS back to the one server for cert renwal. OOPS!

OR, maybe instead it was when they also decided to drop a domain a entirely - why should a poor charity spend money on a domain name renewal when the logs show nobody's really using the alternative spelling?

This is when things broke, I think, but I never noticed until a new person complained that they couldn't get to the site at all. ...I found that their web browser didn't even bother to tell them there was an expired cert (a HEINOUS practice if ever there was one!), and so I investigated and found the expired cert, of course.

The question was why hadn't the cron - based auto-renewal worked? I presumed it was because of the DNS entries I had forgotten to move over to the one location that the cert renewals are done on. But it was more complicated than that...

In short, I switched the former Primary domain with the new Primary domain, and this included getting rid of both the former entries in the live and renewal directories. I created the new cert including all 10 entries using our Fedora Server 30 based (yeah, not quite current) system's certbot-1.3.0-1.fc30.noarch (and matching python3 packages).

However, this "working cert" only supports the still extant Primary Domain and one subdomain, www!

That it doesn't support the older domain at all AND doesn't have the mail and webmail subdomains MATTERS A LOT!

This is crazy because it should be supporting TEN entries, five for each, and I have ZERO idea why or how, or anything!

I'm a little hesitant to post the actual commands because this is for a non-profit that doesn't deserve bad entries out there in the world. However, I here's the form of the command:

certbot install -d PrimaryDomain,www.PrimaryDomain,mail.PrimaryDomain,webmail.PrimaryDomain,webmail2.PrimaryDomain,SecondaryDomain,www.SecondaryDomain,mail.SecondaryDomain, webmail.SecondaryDomain,webmail2.SecondaryDomain

Presently, the cert ONLY contains PrimaryDomain and www.PrimaryDomain. That means it's missing EIGHT entries! How could it even have created a cert with ONLY these two entries in it?!


Hopefully I've just forgotten something about how to get certbot to do this correctly, but if so, it's sure not obvious what that is?!

1 Like

Certbot shouldn't drop any domains on its own.

I would start by checking a couple of things:

  1. Do you perhaps have multiple certificates configured, with different domain lists? Check:

    certbot certificates
  2. Look up your domain on https://crt.sh and try identify what happened. From the history, you should see when the 8 other domains stop being included.


Too late! LOL

Bad practice; Don't ever manually alter files, or folders, within certbot control - nothing good can come from this.

What does the certbot cron look like?

Easily the least documented certbot parameter:
TBH, I don't really know what all it can do, nor have I ever even used it.
I don't know how you came across it nor do I understand what you expect(ed) it to do for you.
But it might explain why you are not getting what you want out of it...


When I gave the command to create the cert, I stated the two domains and all their four subdomains, making TEN entries in the cert, as noted in the question above. BUT, the cert created only includes the first domain and one of its subdomains.

I'd call that "dropping" but in the sense that the command didn't do what I expected. I'm not saying it deleted them from an extant cert.

Yes, lots of them, but I don't see how that helps. They're unrelated domains. I have some 60+ domains under my care and a substantial fraction of them - I didn't count - have certificates that LetsEncrypt has provided. (THANKS EVERY BODY HELPING LetsEncrypt!)

If you're asking if there are already other certs for these two domains, the answer is no.

I know when. That's not at issue. The question is; how do I get back the cert I need?!

Obviously I need to create a new cert! If the syntax I used is wrong, what's the right way?

1 Like

OK... So then, please; what is the correct method to use certbot to switch the primary domain used to identify the cert AND prevent it from reporting on the FORMER primary domain name forever after in the future?

By the way, I didn't DELETE the files, I MOVED them. I can put them back. I just couldn't figure out how else to get certbot to shutup about a primary domain shouldn't be a primary domain but be called something else. Notably, I tried the DELETE option and it didn't work. AND, I didn't find any option to use to do this with certbot, so I did the obvious thing.

It's not at all clear it was a bad thing to have moved the files, aside from your having said so.

$ certbot renew

What else should it be?

Odd. I found it when I tried to find a man page for certbot and not finding one, I tried the -h flag, and that's how I found it.

What I expected of it should be plainly clear from the quesion, namely I expected it to create a new, single certificate named for the first entry, what I'm calling the Primary Domain, and including a secondary domain and both of these domains four subdomains.

How ELSE is someone supposed to create a new certificate with TEN entries - two related domains and their four subdomains? I didn't see any other way. And, at least for other domains, this seems to have worked just fine?!

But then, MAYBE I used multiple -d flags instead of one with entries separated by commas - I don't quite remember and it was some time ago that I created most of them ... most recently last summer probably.

1 Like

The reason I ask is that sometimes you can accidentally end up with partially duplicative certificates, like:

  1. example.com, www.example.com
  2. example.com, www.example.com, mail.example.com

as different certificates. This can be the case sometimes if you keep tacking on extra domains with -d.

I want to make sure that this isn't your situation. If it was, the thing to do would be to delete the redundant certificates and make sure Certbot is only installing the one with the correct set of domains.

So let's say in certbot certificates, you see the certificate which has 2 domains, but should have 10.

It sounds to me like you'd want to replace this certificate with a new one, with all 10 domains.

What you can do is specify the certificate name of the existing certificate, plus the full list of domains you want, which will replace the certificate, while keeping the same certificate name (and file paths etc). If the certificate name was PrimaryDomain:

certbot --apache --cert-name PrimaryDomain -d PrimaryDomain,www.PrimaryDomain,mail.PrimaryDomain,webmail.PrimaryDomain,webmail2.PrimaryDomain,SecondaryDomain,www.SecondaryDomain,mail.SecondaryDomain, webmail.SecondaryDomain,webmail2.SecondaryDomain

(I took a guess with --apache, use whatever authenticator/installer plugin is relevant for you).


Yes, that's it. The key difference here is that you didn't provide a verb! I tried it, it worked, so problem solved.

But that doesn't mean there's not more to learn here:

When you either give certbot a -h OR a garbage word as the first parameter, you get an out put that CLEARLY denotes the command syntax:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

As ALL of that is optional, if you issue the certbot command with no arguments it wants to "activate HTTPS for" one of your existing certs and prompts you to pick one. (By the way, that counts all of them and from that I've learned I have 67 domains or subdomains to choose from!)

Since I didn't want that, CLEARLY, then, they're directing you to give it a verb - here called "SUBCOMMAND."

I'll call this a Documentation Bug! Frustrating!

How about adding to the entry for "install" saying that MAYBE you want this other syntax?! One with all options and domains and NO verb?!

...Do I make an entry to this effect on another list? I think there's one about functionality requests, but is there one for bugs?

1 Like

Running certbot without a verb defaults to the run verb. There is a minor mention of this in the documentation here:

To obtain a certificate and also install it, use the certbot run command (or certbot , which is the same).

The certbot --help output begins with:

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near

I can appreciate that it's a bit confusing. As a Certbot user, it took a long time for me to even realize that's what was happening.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.