Ah, that's damn-near ideal. When was that flag introduced? 0.5? I was expecting a "shrink" command or something (to complement the existing "expand"), but I guess renewal is really the only time it's important. You can expand the certificate with new domains whenever you want, and just let unwanted domains die once they are no longer reachable.
Yes, this was introduced in the 0.5.0 release last week. We will likely implement a
--shrink flag at some point (#2071), but the problem with flags like
--expand is it can be ambiguous which cert should be modified.
I'm assuming in your example, the renewed cert would contain only "other.example.org", it wouldn't still contain an expired "example.com"? (Stupid question I know, just making sure I properly understood you.)
Correct. The new certificate would not contain example.com. Also, not a stupid question at all. This stuff is confusing and complicated, hence Let's Encrypt and its clients trying to simplify the process.
Also, a hyperthetical error scenario. If I have domain1.org, domain2.org, and domain3.org all in one certificate, and only domain2.org is up for renewal, but Apache is down when the client tries to renew, what happens? Does the client create a new cert with only domains 1 and 3, or does the cert remain untouched? Does the cert remain untouched but the renewal conf has domain2 removed?
serverco correctly answered this question. There is no expiration on individual domains in a certificate. The expiration is on the certificate as a whole.
The one thing I will clarify is that some people may want to configure automatic renewal with the
--allow-subset-of-names flag. If you can no longer get a certificates for one of your domains, which is worse:
- Renewal fails because the client can't get a certificate for all requested domains. This means your certificate expires for all of your domains instead of the one you can no longer get a cert for. This makes a lot of noise and is more likely to get your attention so you can fix the problem, however, the problem affected more domains than it really had to.
- Renewal succeeds, but one of your names was dropped. This may have been the correct behavior if the domain is no longer hosted on that server. On the other hand, there may have been a temporary outage for the dropped domain. Depending on how often you automatically run
letsencrypt renew, the renewal would have failed during the temporary outage but succeeded later, potentially before expiration. Using the
--allow-subset-of-names flag would have caused problems you otherwise would have avoided.
The behavior you want depends on the individual/server configuration.
What happens if all three domains are up for renewal, but Apache is down?
If you ran the client with
--allow-subset-of-names and you couldn't complete the challenge for any requested domains, the client will exit with an error as if you didn't even provide the
--allow-subset-of-names flag. At least one domain must succeed for the new certificate to be created.