I need to access my domain using multiple different names: i.dvss.org, m.dvss.org, and x.dvss.org. I recently needed to use m1.dvss.org so I added it to my renewals file (listed below) and forced a renew. my original names still work but the m1 i added receives a "This connection not private" error.

My domain is: https://i.dvss.org

I ran this command: certbot renew --force-renewal

It produced this output:
Congratulations, all renewals succeeded:

/etc/letsencrypt/live/i.dvss.org/fullchain.pem (success)
/etc/letsencrypt/live/www.reinertson.com/fullchain.pem (success)

My web server is (include version): Apache 2.4.51

The operating system my web server runs on is (include version):
Gentoo Linux 5.4.97

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

contents of /etc/letsencrypt/renewal/i.dvss.org.conf:

renew_before_expiry = 30 days

version = 1.20.0
archive_dir = /etc/letsencrypt/archive/i.dvss.org
cert = /etc/letsencrypt/live/i.dvss.org/cert.pem
privkey = /etc/letsencrypt/live/i.dvss.org/privkey.pem
chain = /etc/letsencrypt/live/i.dvss.org/chain.pem
fullchain = /etc/letsencrypt/live/i.dvss.org/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = web-root
account = c4ff050123493ace71750be523a80c66
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
m.dvss.org = /vhosts/dvss.org/m
m1.dvss.org = /vhosts/dvss.org/m1
x.dvss.org = /vhosts/dvss.org/x
i.dvss.org = /vhosts/dvss.org/i

That's because you shouldn't edit the renewal configuration file to add additional hostnames to the certificate. Certbot takes the hostnames from the original certificate when renewing, not the renewal configuration file.

That said, certbot does not offer an easy way to add or remove hostnames from a certificate unfortunately. And it seems this isn't going to change soon, as the issue on Github to improve this hasn't seen any action for two years now and is labeled as "wishlist", which makes it the lowest priority...

Currently, the only way to add or remove hostnames from a certificate is to use --cert-name in combination with all the options you've used to create the certificate the previous time, but now with the modified hostnames (i.e.: add or remove a -d option).

Thanks for the quick reply. If I read you correctly I should use this:

certbot renew --force-renewal --cert-name -d i.dvss.org -d m.dvss.org -d m1.dvss.org -d x.dvss.org

Just out of curiousity I was hoping I could generate a certificate for any subdomain of dvss.org with this command:

certbot renew --force-renewal --cert-name -d dvss,org

but that didn't work either.

Thanks again.

The option --cert-name expects a value: the name of the certificate. Otherwise you might end up with a new cert next to your previous one.

You could also use a wildcard certificate, but that would require using the dns-01 challenge.

I'm afraid I'm in over my head here. I entered:

certbot renew --dry-run --cert-name i.dvss.org -d i.dvss.org -d m.dvss.org -d m1.dvss.org -d x.dvss.org

and received this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

You can't do both.

Thanks to your help I was finally to accomplish what I wanted. The following command worked for me:

certbot certonly  --cert-name i.dvss.org -d i.dvss.org -d m.dvss.org -d m1.dvss.org -d x.dvss.org

As a follow up question, is there anyway I could create a certificate for dvss.org that would allow for any and all subdomains of dvss.org?

Thanks again for your help.

That's called a "wildcard" certificate.
You would request it as:
certbot certonly --cert-name wildcard.dvss.org -d dvss.org -d *.dvss.org
[(pre)defining the cert-name is optional - certbot will make a unique one if not defined]
But wildcard certs require DNS-01 authentication - HTTP-01 authentication won't do.
[You can even process the DNS TXT records requests manually - if you just want to try it out once]
But the idea is to automate the entire certificate (renewal) process.
So you would have to use a DNS Service Provider (DSP) that supports zone updates via API.
And also an ACME client with a DNS plugin for that DSP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.