Nginx add new subdomain

Server
1

Hi,
I have already installed Let’s encrypt on my web server (Ubuntu 16.04) running with Nginx for domains :slight_smile:
1: example.com
2: dev.example.com
3: preprod.example.com
4: www.example.com

To update my SSL certificate, it’s done with a crontab:
0 0 * * MON,THU /usr/bin/certbot renew --quiet

I would like to add a fifth one which would be test.example.com. How to? I have seen that the option –expand should be used but with certbot-auto which is not installed on my server.
certbot-auto: command not found

Thanks,
Vincent.

2

Hi,

Please clarify your question.

Do you want to add a domain to your SAN or you want to create a completely new certificate and add to renewal?

Thank you

3

I want to add domain to my SAN. I have all .pem files here:

/etc/letsencrypt/live/example.com

And want to keep them here.

Thanks,
Vincent.

4

Hi,
----------------Update -------------------------
@sahsanu’s answer is better than mine.

---------------end update--------------------
In this case, you will need to run
certbot-auto --expand -d example.com -d dev.example.com -d preprod.example.com -d www.example.com -d test.example.com

However, I’m not sure if certbot-auto can keep certs in the same place since the doc said it will create a new directory instead of update in place.

Thank you.

5

For these cases it is better to use --cert-name instead of --expand. Following your example:

certbot-auto --cert-name example.com -d example.com -d dev.example.com -d preprod.example.com -d www.example.com -d test.example.com

1 Like
6

Ok, thank you.
What is the difference between certbot and certbot-auto because certbot-auto is not installed on my server? Do I have to install it?

root@myserver-01# locate certbot|grep bin
/usr/bin/certbot
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_main_binary-amd64_Packages
7

No, there is no need to install certbot-auto, use just certbot. Parameter --cert-name was introduced on certbot version 0.10.0 so you should not have issues to use it.

certbot-auto is used for Linux Distributions that doesn't package certbot or the certbot packaged is too old.

8

Unfortunately it failed:

certbot --cert-name example.com -d example.com -d dev.example.com -d preprod.example.com -d www.example.com -d test.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

-------------------------------------------------------------------------------
You are updating certificate example.com to include domains:
  example.com, dev.example.com, preprod.example.com, www.example.com, test.example.com

It previously included domains: example.com, dev.example.com,
preprod.example.com, www.example.com

Did you intend to make this change?
-------------------------------------------------------------------------------
                     (U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
                     tls-sni-01 challenge for example.com
tls-sni-01 challenge for dev.example.com
tls-sni-01 challenge for preprod.example.com
tls-sni-01 challenge for www.example.com

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

In the log file /var/log/letsencrypt/letsencrypt.log we have

Traceback (most recent call last):
             File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 692, in run
domains, certname = _find_domains_or_certname(config, installer)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 292, in _find_domains_or_certname
raise errors.Error("Please specify --domains, or --installer that "
9

Hi @defacta,

tls-sni-01 challenge has been disabled due several security issues so you can’t use it. In certbot version 0.21.0 it has been corrected so nginx plugin doesn’t try to use this challenge but uses http-01. In your case you could try to use webroot to validate the challenge and the nginx plugin just to install them.

certbot -a webroot -i nginx --cert-name example.com -d example.com -d dev.example.com -d preprod.example.com -d www.example.com -d test.example.com

2 Likes
10

@sahsanu
Ok done,

I have installed the official certbot package with apt-get install certbot. Now my version is 0.21.1. I had 0.19 version.

I had to summarize my default config file of Nginx /etc/nginx/sites-available/default to:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name example.com www.example.com;
        root /var/www/example_prod;
}

server {
        listen 80;
        server_name dev.example.com;
        root /var/www/example_dev;
}

server {
        listen 80;
        server_name test.example.com;
        root /var/www/example_test;
}

Then I could perform certbot -a webroot -i nginx --cert-name example.com -d example.com -d dev.example.com -d www.example.com -d test.example.com

And it worked like a charm and put back my original Nginx default config file.

Thanks.

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.