Renew certificate for multiple domains, discarding one

mdit · October 5, 2020, 1:03pm

Hello,

I have a single certificate for multiple domains generated with the usual -d first.domain -d second.domain -d third.domain etc...

Soon I will need to renew the certificate for all domains, except one, which by then will be canceled.

I tried to run the following command:
certbot certonly --csr ./renew-my.csr --manual --preferred-challenges dns -d first.domain -d second.domain --dry-run

Only, I noticed it asks me to renew also the third.domain, which I would like to avoid.

Is it possible do it? How?

Osiris · October 5, 2020, 1:07pm

The use of --csr makes the behaviour of certbot quite different in a lot of ways. I can only assume the used hostnames are taken from the CSR and it ignores the -d switches.

Why do you use --csr anyway? Did you use it initially too? And what was the reason for it? There isn't much use for it to be frank.

mdit · October 5, 2020, 1:14pm

Hello Osiris,

thank you for replying.

I tipically worked this way before starting to work with certbot.

The usual scenario was a MS windows Server with IIS, which needed to renew a certificate. I would export the CSR from IIS and send it to a vendor, who in return would provide the renewed certificate.

Because I cannot install any package on the MS windows server, I am using certbot on a linux box and exporting the certificate to the MS Windows Server.
Providing the CSR should serve to make sure the certificate would work only with that specific server, am I right?

Osiris · October 5, 2020, 1:22pm

Ah, Windows Server with IIS, totally not in my ball park to be honest. No experience what so ever.

Therefore, I don't know if the use of a CSR is actually mandatory in this specific situation. It might be possible to install a certificate with the private key too, without using a CSR. However, as your specific situation mandates a manual process anyway, using a CSR is also an option.

If the CSR was generated on that specific server and the corresponding private key is also only on that specific server, then yes. A CSR is technically only coupled to the private key it was generated with.

In any case, the certbot documentation only mentions "CSR" a few times:

--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)

(…)

--cert-path CERT_PATH
Path to where certificate is saved (with auth --csr),
installed from, or revoked. (default: None)

(…)

--csr CSR
Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
'certonly' subcommand. (default: None)

There's no mention what other options are used or ignored unfortunately. My assumption is that certbot just takes the hostnames from the CSR, probably including your third domain and ignores the -d options.

mdit · October 6, 2020, 4:21am

Yes, I guess so. I think I probably will have to retire this certificate, and then create a new one. Thank you for your help