Mostly this is a request for advice.
My domains are at least:
corliss.rcousins.com
danacummin.com
deskhenge.com
gracecousins.com
grace.rcousins.com
hewittfarm.com
mail.rcousins.com
rcousins.com
smithie.com
www.danacummin.com
www.deskhenge.com
www.gracecousins.com
www.hewittfarm.com
www.rcousins.com
www.smithie.com
www.wychwoodfarms.com
wychwoodfarms.com
And probably more to come.
I ran this command:
certbot certificates
It produced this output:
Found the following certs:
Certificate Name: danacummin.com
Serial Number: 4dfe9adbdc5e60cf92b3ed62851df6c7d78
Key Type: RSA
Domains: www.danacummin.com danacummin.com
Expiry Date: 2021-05-07 18:55:16+00:00 (VALID: 43 days)
Certificate Path: /usr/local/etc/letsencrypt/live/danacummin.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/danacummin.com/privkey.pem
Certificate Name: deskhenge.com
Serial Number: 44394e726caa846fb7a988eaaa0d5d9803f
Key Type: RSA
Domains: deskhenge.com www.deskhenge.com
Expiry Date: 2021-05-07 19:10:20+00:00 (VALID: 43 days)
Certificate Path: /usr/local/etc/letsencrypt/live/deskhenge.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/deskhenge.com/privkey.pem
Certificate Name: grace.rcousins.com
Serial Number: 45c5c18d6dd6a67030a6833448dc9f142d6
Key Type: RSA
Domains: danacummin.com corliss.rcousins.com deskhenge.com grace.rcousins.com gracecousins.com hewittfarm.com mail.rcousins.com rcousins.com smithie.com www.danacummin.com www.deskhenge.com www.gracecousins.com www.hewittfarm.com www.rcousins.com www.smithie.com www.wychwoodfarms.com wychwoodfarms.com
Expiry Date: 2021-05-19 19:02:39+00:00 (VALID: 55 days)
Certificate Path: /usr/local/etc/letsencrypt/live/grace.rcousins.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/grace.rcousins.com/privkey.pem
Certificate Name: gracecousins.com
Serial Number: 40dd29b7bbade0cb0107a417e9a75555bcb
Key Type: RSA
Domains: gracecousins.com www.gracecousins.com
Expiry Date: 2021-05-19 19:15:05+00:00 (VALID: 55 days)
Certificate Path: /usr/local/etc/letsencrypt/live/gracecousins.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/gracecousins.com/privkey.pem
Certificate Name: rcousins.com
Serial Number: 4b6da10c72e60a5ac123b18288b97b014d7
Key Type: RSA
Domains: rcousins.com www.rcousins.com
Expiry Date: 2021-05-05 17:25:40+00:00 (VALID: 40 days)
Certificate Path: /usr/local/etc/letsencrypt/live/rcousins.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/rcousins.com/privkey.pem
Certificate Name: www.danacummin.com
Serial Number: 487fb171a2ccbe59ced3da6fc950ce3537c
Key Type: RSA
Domains: www.danacummin.com
Expiry Date: 2021-05-10 18:40:49+00:00 (VALID: 46 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.danacummin.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.danacummin.com/privkey.pem
My web server is (include version):
Server version: Apache/2.4.46 (FreeBSD)
Server built: unknown
The operating system my web server runs on is (include version):
FreeBSD corliss 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC amd64
My hosting provider, if applicable, is:
Stubborn.
I can login to a root shell on my machine (yes or no, or I don't know):
Yes.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 1.10.1
My friend is sort of being a web host for several of his friends, and is in the process of moving their websites from an antique virtual machine to something currently supported.
He wants ONE certificate with all of the relevant domains in it (note that there may be more to move over, I forgot to ask). However that's not what he got.
It's been a while since I've played in this end of the pool, and would like advise and help in cleaning this up.
What I think I should do to go forward is:
- Create a new certificate with a generic name that will contain all of the domains he wants to cover.
- Revoke, then delete all the old certificates
- Create a script for him that will allow him to "add domains" to the certificate (not sure the exact steps here, delete old certificate, then create new one with larger list?)
Does this seem like the right way to clean this up?