The correct way to merge two certificates with certbot?


#1

I have 2 issued certificates:

/archive/example.com/cert1.pem
    example.com
    www.example.com
    admin.example.com
    stats.example.com
    cdn.example.com

/archive/foo.example.com/cert1.pem
    foo.example.com

I realized that foo.example.com was best consolidated onto the example.com cert.

I ran certbot with --expand and enumerated all the domains I wanted

That successfully gave me a new cert as /archive/example.com/cert2.pem Great.

I’m left with two concerns that I couldn’t find in the docs:

  1. Looking at the code, it seems to just try and auto-detect which certificate has the most similar domains and uses that as the destination. It’s not possible to specify a target destination – is it? (i.e. expand onto foo.example.com or some new name)

  2. It looks like the single cert for foo.example.com would still auto-renew and needs to be deleted from the system – correct?


#2

Recent versions of certbot have the --cert-name option, corresponding to the directory in /live/ or /archive/ (also called “lineage” with the developers).


#3

[quote=“jvanasco, post:1, topic:32325”]
It’s not possible to specify a target destination – is it? (i.e. expand onto foo.example.com or some new name)[/quote]

Historically not, but it is possible in recent enough Certbot versions with --cert-name.

That’s correct. In recent enough Certbot versions there is a delete verb that you can use to do this (as opposed to simply deleting all references to it within /etc/letsencrypt).


#4

Thank you both! Glad to know I’m not doing things too wrong with Certbot.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.