Multi domain certificates and renewals


#1

Consider i call the LE client to issue a certificate for example1.com at time T1 which expires at time T90.
Now lets say at time T20 i issue the same command but this time with another domain included as in example2.com.

Will example2.com also expire at T90 that is inherit the expiration date of T1 or example2.com will expire at T20 + 90?

Thanks.


#2

When you ask for the second certificate, this is independent of the first. So the second certificate will expire T90 after it was created ( i.e. T90+T20 from now)

The only real link with the first certificate is (if you included the same domain on both certs, with an additional example2.com domain … or one was a subdomain of the other, then it would have an impact on rate limits. Not on expiry times though.


#3

Interesting. This will mean the LE client can renew certificate 1 without renewing certificate 2 although both of them are in the same file. Typically most certificate issuers will cover all certificates in the cert file with one expiry date.


#4

Maybe I miss-understood your question

Are you asking when the certificates will expire ( in terms of their validity) - which is what I understood by your question, or are you asking what will the LE client do about auto-renewing ( a different question from what I understood) ?


#5

Actually digging further into the issue it appears multi domain certificates simple have a primary name and subject alternative names (SAN) which will mean for my question above, both certificates will expire at T90.


#6

Hello @accessviolation,

No, both certificates won’t expire at T90 ;).

If you issue a certificate for example1.tld at T1 and at T20 you issue a certificate for example1.tld and example2.tld you’ll have 2 certificates, the previous one for example1.tld expiring on T90 and another one for example1.tld and example2.tld expiring on T20 + 90.

Keep in mind that the first cert is located on /etc/letsencrypt/live/example1.tld/ but if you issue a new cert containing the same domain example1.tld plus a second domain example2.tld and you use the option --renew-by-default or the option --expand this new cert will be the default.

I mean, when you create the first cert you will have these files on /etc/letsencrypt/live/example1.tld/

# ls -l /etc/letsencrypt/live/example1.tld/
total 0
lrwxrwxrwx 1 root root 41 ene 11 18:28 cert.pem -> ../../archive/example1.tld/cert1.pem
lrwxrwxrwx 1 root root 42 ene 11 18:28 chain.pem -> ../../archive/example1.tld/chain1.pem
lrwxrwxrwx 1 root root 46 ene 11 18:28 fullchain.pem -> ../../archive/example1.tld/fullchain1.pem
lrwxrwxrwx 1 root root 44 ene 11 18:28 privkey.pem -> ../../archive/example1.tld/privkey1.pem

Once you have created the second certificate you will see this:

# ls -l /etc/letsencrypt/live/example1.tld/
total 0
lrwxrwxrwx 1 root root 41 ene 11 18:28 cert.pem -> ../../archive/example1.tld/cert2.pem
lrwxrwxrwx 1 root root 42 ene 11 18:28 chain.pem -> ../../archive/example1.tld/chain2.pem
lrwxrwxrwx 1 root root 46 ene 11 18:28 fullchain.pem -> ../../archive/example1.tld/fullchain2.pem
lrwxrwxrwx 1 root root 44 ene 11 18:28 privkey.pem -> ../../archive/example1.tld/privkey2.pem

Pay attention because the files number have changed from 1 to 2. The first issued certificate will be in archive with number 1 and the new one with number 2 but will be the default in live dir. So, you really have 2 different and valid certs but the second one “replaced” the first one. I wrote “replaced” but in fact the first cert is still valid till T90.

Cheers,
sahsanu


#7

Nice! exactly the info i was looking for.