Renaming certficates and adding cnames avoiding apache


#1

When I first created my certificate (on gentoo apache), I asked it to create it for a number of cnames. Somehow, it decided to name the certificate path after the first cname, which I didn’t expect or want. Is there a way to force the right name short of starting over? The certificate with the wrong name is behavioralcore.einsteinmedneuroscience.org.

Second, I wanted to add a few more cnames. So I used just the expand option, but this time, it seemed to want to edit my apache configuration files even though I never made any reference to apache in the command line. In addition, it created a separate folder (named einsteinmedneuroscience.org) for the certificate separate from the one above ( behavioralcore.einsteinmedneuroscience.org). One thing is that for these last two cnames, they are not in apache. They’re for FTP. Is there a way short of starting over to add them and avoid apache?


#2

Hi @mauricev,

The certificate management commands in Certbot are

certbot --cert-name — to specify the name of the certificate to act on (when adding or removing names), or the resulting certificate (when creating a new certificate that’s not related to an existing certificate)

certbot certificates — to view your existing Certbot-managed certificates

certbot delete — to delete a particular certificate (which doesn’t remove references to the deleted certificate in web server configurations, so it may make your web server configuration invalid if the certificate is still actively in use)

There’s currently no rename command.

A thing that sometimes confuses people is that you always need to specify all of the names that should be present in the newly-issued certificate (regardless of whether or not some or all of those names were present in an old certificate). For example, if you run

certbot -d foo.example.com -d bar.example.org

and then

certbot --expand -d example.com

it doesn’t add example.com to the old certificate, but rather creates a separate certificate. Only specifying a superset of the names in an existing certificate, or using --cert-name, will result in replacing the existing certificate.


#3

Thank you for your detailed answer.

If I may make a suggestion here, I’d make the --cert-name option a required parameter. This way, there’s never any doubt as to what the name of the certificate will be and which certificate will be acted upon. Second, the expand option should do what it says, expand the named certificate and not do a replacement. If the user wanted that, there could be a designated --replace option.


#4

What you’re asking isn’t possible. Certificates, once issued, are immutable–they can’t have domain names added or removed, they can’t be renamed, and they can’t be renewed. To the extent that certbot or other software act like they’re doing any of these, what they’re actually doing is creating a new cert with the desired configuration.

With that said, I think it would be more intuitive if certbot --cert-name foo.bar.baz --expand -d too.bar.baz simply added too.bar.baz to whatever other domains were already covered by the foo.bar.baz certificate.