The correct way to merge two certificates with certbot?

jvanasco · April 18, 2017, 7:00pm

I have 2 issued certificates:

/archive/example.com/cert1.pem
    example.com
    www.example.com
    admin.example.com
    stats.example.com
    cdn.example.com

/archive/foo.example.com/cert1.pem
    foo.example.com

I realized that foo.example.com was best consolidated onto the example.com cert.

I ran certbot with --expand and enumerated all the domains I wanted

That successfully gave me a new cert as /archive/example.com/cert2.pem Great.

I’m left with two concerns that I couldn’t find in the docs:

Looking at the code, it seems to just try and auto-detect which certificate has the most similar domains and uses that as the destination. It’s not possible to specify a target destination – is it? (i.e. expand onto foo.example.com or some new name)
It looks like the single cert for foo.example.com would still auto-renew and needs to be deleted from the system – correct?

Osiris · April 18, 2017, 7:26pm

Recent versions of certbot have the --cert-name option, corresponding to the directory in /live/ or /archive/ (also called "lineage" with the developers).

schoen · April 18, 2017, 7:26pm

[quote="jvanasco, post:1, topic:32325"]
It's not possible to specify a target destination -- is it? (i.e. expand onto foo.example.com or some new name)[/quote]

Historically not, but it is possible in recent enough Certbot versions with --cert-name.

That's correct. In recent enough Certbot versions there is a delete verb that you can use to do this (as opposed to simply deleting all references to it within /etc/letsencrypt).

jvanasco · April 18, 2017, 7:42pm

Thank you both! Glad to know I’m not doing things too wrong with Certbot.

system · May 18, 2017, 7:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.