"Retired" domains in a cert invalidate the main name?

I was alerted a few days ago to a couple of sites that are showing invalid certificates. It appears that the cause was the owners have for whatever reason not renewed one of the domains in the cert. For example:

Certificate Name: something.com
    Domains: www.something.com www.something-else.com

where the domain something-else.com is not renewed (as in the registrar has not been paid to renew its registration), this also makes www.something.com invalid.

Is that on purpose? For some reason I thought certbot would keep the certificate valid if that happened. People set up websites that have aliases on a different domain name, then decide to let it go once the alias isn't needed. There was some fair panic when the main one went down unexpectedly! :slight_smile:

You thought wrong. Validations might fail for random and transient reasons, and removing a name permanently just because of that is an overkill with unforeseeable consequences.

If you want the behavior you described, add the --allow-subset-of-names option.

4 Likes

When renewing, Certbot tries to renew the certificate "as is". As in, it tries to validate every hostname in the certificate and if one or more hostnames fail to validate, the certificate won't get issued. This is usually the desired result, as often a failure is just temporarily and Certbot will try again when it gets run the next time. Note that Certbot cannot tell the difference between a temporary or permanent failure of a hostname, this is important.

Certbot does however have the --allow-subset-of-names option as mentioned in the user manual. But this is a "dangerous" option which should NOT be enabled by default for non-interactive Certbot runs. Because if you have this enabled by default, any temporarily failed hostname would immediately get removed from a certificate, leading to all kinds of trouble.
Usually one would "pre-validate" all the working hostnames by trying to renew the certificate and expecting it to fail. Once the user is satisfied only the to-be-removed hostname failed and all the other hostnames succeeded, one can renew the cert again but this time with --allow-subset-of-names.

If one decides an alias isn't needed any longer, they should include the change of hostnames within the certificate used in their thought process. And update the certificate accordingly, e.g. using --allow-subset-of-names.

Never to old to learn.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.