Hello. I have two domains NETEAST.ORG and CAPITALSKYEYE.COM. NETEAST also has .COM and .NET. CAPITALSKYEYE also has .NET and .ORG so I have all six domains.
Your cert from Sep27 for capitalskyeye only has your apex domain name in it. Your earlier certs for that domain (in 2024) had it and the www subdomain.
You will need to re-issue that cert to include the www name. Same issue applies to the .net and .org names for capitalskyeye. You have individual certs for each of those.
That cert is not related the one for neteast in your example command. Not sure why you showed that.
Expanding the cert is pretty much the same as re-issuing. You cannot actually change the prior cert. "Expand" is a Certbot option so that you do not create a new certificate config on your local system. And, that's a good idea. But, if you issue the original command over just with additional domain names Certbot will prompt you to do that.
I see you are switching from --standalone to a manual DNS challenge. That isn't normally a good idea. What is the reason for that?
In fact, --standalone isn't usually a good choice if you have a working web server. And, you have Apache so either --webroot or --apache options are better than --standalone and certainly better than a manual DNS Challenge
That prompted me to expand the certificate, but the www domain still does not show up. I need to fix this for the .com domain and I will do that when I successfully do it for .org and .net which I am not using.
Edit: Ok. I think I see what I did wrong on September 30. The domain names for .com are backwards from. net and .org. Only .com now doesn't show as secure with https so I think I can fix that tomorrow morning with a reissue
capitalskyeye.com and www use a cert with both names now. Was issued yesterday. Just noting since you said you weren't going to try until tomorrow.
The sequence of the names shouldn't matter. Although, Certbot may have created a new directory and config for each set rather than expanding an earlier one. As long as your Apache refers to the correct one, and it seems to be, you are fine.
You can check your Certbot configs with command: certbot certificates
Right now its not fine, except for the top level site. If you go to Brookside Gardens (.org domain) you will see that is secure. If you go to Brookside Gardens (.com domain) you can still get there, but its not secure. I need all three domains to be secure. They were up until this last renewal.
I think I have all the files in the right places. The certificate renewal is done on a c: drive on Windows, but all the web server data including the certificates, are on a NAS drive. In this configuration I have to do the renewals by hand every 75 days. Automatic renewals don't work on a NAS drive.
I copy the files from the c: drive to the NAS and restart the web server. This has worked for years.
If the order of the names doesn't matter then all three domains should produce the same result and they don't
The .com site is secure for me. Perhaps you are affected by your browser caching an older cert. Try refreshing your browser.
I do see that your Apache is not redirecting HTTP requests to HTTPS. Some browsers try HTTPS first so that doesn't matter. But, you'll want to check that as you should redirect. None of your domain names redirect HTTP.
A better way to test which cert is used is with a tool like this: SSL Checker
Notice the .com name in the URL and the "lock icon" I see from Firefox
You should know that the EFF dropped support for Windows from Certbot in Feb of 2024. You should look at switching to an alternative. One of these might also allow updating the challenge tokens on a NAS so you can automate that. That alone might be worth the effort.
I know that support for Certbot was discontinued but it still works. I prefer to do it by hand anyway so I can verify it worked and not knocked all of my websites down. It only takes about 10 minutes.
I tested the links on other machines and it works fine so I am going to leave it as it is. The Chrome browser on my main workstation will eventually catch up to the rest of the world. As long as all the sites under the main are working as they should its fine.
I don't have an alternative to Windows. I don't know Linux as well and I don't really want to learn Apache on Linux. I will look into my Apache config and see why https redirect is not the default.
Yes, that's a fine tool if a bit long to just check a cert But both capitalskyeye.com and its www get an A score there. So, not sure the problem you see. Sounds like just a browser quirk. Just restart it and that might be enough. Or, try a private tab.
That's fine. The 3 ACME alternatives I suggested (and the EFF mentioned in their post) were all designed for Windows.
Certbot wasn't ever the best ACME client for Windows anyway for various reasons.
But both