[Resolved] Unable to expand an existing domain


#1

Hi,

I already succeeded to expand an existing domain , see Webroot --expand : a user error or a doc error? . But this time : no way

I have a ssl for : blog.example.org,ostatus.example.org,example.org,www.example.org . Working

I need to update ostatus to last gnusocial (because using an alpha in prod is always take a risk :wink: ).

I ran this command:

/root/bin/certbot-auto certonly \
--expand \
--email denis@example.org --user-agent letsencrypt --webroot \
-w /home/example.org/htdocs/www/spip -d www.example.org \
-w /home/example.org/htdocs/blog -d blog.example.org \
-w /home/example.org/htdocs/ostatus -d ostatus.example.org \
-w /home/example.org/htdocs/www/spip -d example.org \
-w /home/example.org/htdocs/static -d static.example.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.org
http-01 challenge for blog.example.org
http-01 challenge for ostatus.example.org
http-01 challenge for example.org
Using the webroot path /home/example.org/htdocs/static for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0040_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0040_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.org/fullchain.pem. Your cert
   will expire on 2017-04-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

*This seems OK , but look again : no static.example.org in the list, and the keychain stay for other domain only …

OS: Debian wheezy with security.debian.org
web server : apache 2

In ssh.

If i try with dry-run :

# /root/bin/certbot-auto certonly --expand \
> --staging \
> --email denis@example.org --user-agent letsencrypt --webroot \
> -w /home/example.org/htdocs/www/spip -d www.example.org \
> -w /home/example.org/htdocs/blog -d blog.example.org \
> -w /home/example.org/htdocs/ostatus -d ostatus.example.org \
> -w /home/example.org/htdocs/www/spip -d example.org \
> -w /home/example.org/htdocs/static -d static.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: www.example.org, blog.example.org, ostatus.example.org, example.org). We will not do that unless you use the --break-my-certs flag!

Then i really didn’t understand … seems it don’t found the static.example.org in the list …

Thanks :slight_smile:

PS : trying different combination , new domain at start , at end etc …
An exemple :

# /root/bin/certbot-auto certonly \
> --expand --dry-run \
> --email denis@example.org --user-agent letsencrypt --webroot \
> -w /home/example.org/htdocs/static -d static.example.org \
> -d www.example.org \
> -d blog.example.org \
> -d ostatus.example.org \
> -d example.org 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.org
http-01 challenge for blog.example.org
http-01 challenge for ostatus.example.org
http-01 challenge for example.org
Using the webroot path /home/example.org/htdocs/static for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0046_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0046_csr-certbot.pem

IMPORTANT NOTES:
 - The dry run was successful.

Workaround for 5 domain limit?
#2

Think i got it … issue between chait and screen (me ).

I didn’t add static in my DNS …

$ ping static.example.net
ping: static.example.net: Name or service not known

But : i think certbot throw error , not here. and looking at log : don’t found a dns request to static.shnoulle.net

I add it in DNS and come back tomorrow (i already test 5 times :confused: )

PS/Edit : after tracking log: staic are never tested …
Seems related to Expands not working on pre-existing cert requests maybe


#3

Fixed after https://github.com/certbot/certbot/pull/4053

# /root/bin/certbot-auto certonly \
> --expand \
> --email denis@example.org --user-agent letsencrypt --webroot \
> -w /home/example.org/htdocs/www/spip -d www.example.org \
> -w /home/example.org/htdocs/blog -d blog.example.org \
> -w /home/example.org/htdocs/ostatus -d ostatus.example.org \
> -w /home/example.org/htdocs/www/spip -d example.org \
> -w /home/example.org/htdocs/static -d static.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.org
http-01 challenge for blog.example.org
http-01 challenge for ostatus.example.org
http-01 challenge for example.org
http-01 challenge for static.example.org
Using the webroot path /home/example.org/htdocs/static for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0050_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0050_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.org/fullchain.pem. Your cert
   will expire on 2017-04-14. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thank you :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.