Subdomain SSL - messes up apache2-le-ssl.conf file

Just looking to add some SSLs certs to subdomains on an existing domain that has a SSL (form certbot)

My domain is:
I ran this command: certbot certbot —expand -d,,
is this correct?

It produced this output: just seems to mess up the apache2-le-ssl.conf file and inside of a virtual host listing in this file it messes up the path of SSLCertificateFile and SSLCertificateKeyFile
eg I am hosting multiple website say and
in the virtual hosts section of it will list the path to SSLCertificateFile and SSLCertificateKeyFile as /etc/letsencrypt/live/ .
It seems to do this when I am adding new SSLs to new domain names via certbot with regular domains (not sub)

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)
Server built: 2021-11-14T23:52:18

The operating system my web server runs on is (include version):Ubuntu 18

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No way!

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.4.0

Big thanks for the free certs - bloody brilliant service from your guys!

1 Like

Welcome @SSLforever to the community

Yes, the --expand should allow adding a domain name to an existing cert. As for debugging the VirtualHosts, can you show result of this:

sudo apachectl -t -D DUMP_VHOSTS

That depends on how you intend on using those names.
If all names are going to be hosted within one vhost [using same document root], then it should be fine.
Anything else depends on your specific needs and actual uses.


I have a separate vhost listing for each alias in apache.conf - perhaps that is my issue?
As far as use, not sure what you mean - just want it to work

Perhaps I read a primer on apache.conf and vhosts / ssl setup.

1 Like

If you want to use only one cert, then using expand may do the trick.
All vhosts could use the same cert.

What do these show?:

certbot certificates


certbot certificates > it shows that certificate have other websites list in the domains secti. - obviously incorrect,

Certificate Name:

Failed redirect for

Unable to set the redirect enhancement for

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

With the -d am I not trying to update all my certs for all my sites? I host about 5 with certbot SSLs.

There is nothing obvious about any of this.
Especially when you continue to obfuscate the real domain names [with other real domain names]:

Please don't use real domain names that you do not control OR have nothing to do with this topic.
When you need to show "an example domain" use only EXAMPLE.COM, EXAMPLE.NET, and/or EXAMPLE.ORG.


Maybe I should have been more specific with:

If you are expecting any real help, then you would do well by showing the output [not talking about it].


Ok, take a deep breath and relax. I just don't want to paste my personal data here.

The output to those two commands looks ok.

Well, what looks OK to you might not to us. What you are describing is highly unusual. It almost certainly is that your expectations of what should happen is not correct. Even if you have run into some sort of bug you will need to provide more info than you have. It is just too general to try to do anything with.

This is a misunderstanding. There is no magic between apex domains and subdomains (well, not in this context anyway). They are all just names that Apache matches (via SNI and ports) to VirtualHosts (certbot does similar matching). And, they all look the same in a cert (in the SANs list).


I should add that based on your cert history it looks like you have two cert configs in Certbot for the same set of domain names. And, you have another cert with a much larger grouping of names. There is plenty that can go wrong with that.



Yes I did see that and that's probably the reason for the mess. Yesterday I tried to remove that cert but I still saw it in my /etc/letsencrypt/live directory.

Sorry total noob here when it comes to certs. They worked brilliantly for my standard domains and I was just tying to set up some subdomains for testing new WP installs. I think I understand how they woking better now and probably just a case of RTFM!

You can certainly try to sort it out yourself. But, if you want our help we'll need specifics as previously requested (DUMP_VHOSTS and certbot certificates)

Key topics for DIY are here:


If that was meant for me...

I live in Miami, I'm always relaxed :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.