Total Noob drowning in SSL SAN Multi-Domain

My domain is: skynfüd.com & I tried to create another certificate for skynfud.com but it overwrote something and now nothing works.

I followed this tutorial:

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

Actually I got SSL working for skynfüd.com (skynfüd.com) and pointed skynfud.com at it from Lightsails Hosted Domains... only this second domain wasn't secure yet, so I stupidly followed the tutorial again and broke it. (I now know from a better article I should've just used -d to add a list of domains instead of trying to make a certificate for each).

I used Certbot and followed the Amazon tutorial exactly (but twice).

My question is, can I just delete my Wordpress/Lightsail instance (it's blank anyway) and start a new one, ask for the certificate again but this time just add -d for each domain to add get the SAN/Multi-domain certificate I really need?

Or will this cause my domains to be blacklisted due to asking for another SSL certificate? I keep thinking that if I ask for another certificate whilst one exists and it includes another domain that already has a certificate then the whole thing's going nowhere...?

Many thanks for any help!

Carl.

1 Like

Welcome to the Let's Encrypt Community, Carl :slightly_smiling_face:

In short, yes, but you should of course take this as a learning experience and be mindful of the rate limits (in particular the duplicate certificate rate limit).

Nope, you just might be hindered by the rate limit (unless you do something grotesquely excessive).

That's often referred-to as "certificate expansion" and is quite common.


For your reference, you can find all of your Let's Encrypt certificates (and many from other CAs) by searching with https://crt.sh. Be sure to use the "deduplicate" advanced option to prevent your Let's Encrypt precertificates from cluttering up the output and causing confusion.

You are a genius. I bow to your networking knowledge and shuffle backwards with many blessings on my way out.

1 Like

Can I check before I mess this up again... I just add a -d and list the domains I want on 1 certificate? Then any domain that gets pointed to my Lightsail instance will be checked against that SSL list and register as secure to a web user?

1 Like

I'm assuming you're using certbot here. You might find it easier to just use -d "list,of,domain,names". Be sure to include the quotes.

As an aside, the tutorial you linked to seems to use manual DNS validation, if you followed that instead of using http validation then you will need to manually update your DNS challenge TXT records every time you want to renew (these challenges get cached for approx 30 days thereafter you need to complete new ones).

http validation is probably better for simplicity/automation unless you specifically need DNS validation and can't use an automated DNS plugin/script.

2 Likes

I fully concur with @webprofusion's observation and suggestion. :sparkling_heart:

1 Like

You can do that?

I was going to type -d skynfud.com -d skynfud.co.uk -d *.skynfud.com

etc...

1 Like

Be careful with using asterisks without quotes. There can be nasty consequences. The format I have you is much safer.

Thanks :slight_smile:

I'll try find a http validation tutorial.

1 Like

Keep in mind that http-01 challenges won't work for wildcard certificates. Those require dns-01 challenges. You'll want to decide if you really need a wildcard certificate before proceeding.

You can possibly automate your dns-01 challenges as @webprofusion has suggested using a dns plugin for certbot. This will depend upon your dns provider.

Yes, good point because now I know how to list properly, I can forget the wildcard tutorial (it's the only thing on Amazon's help pages) and just list "www.name.com, name.com, www.name.co.uk, name.co.uk" etc...

1 Like

Exactly correct. :face_with_monocle: Most people don't actually need wildcard certificates.

1 Like

Thank you so much guys!!!

1 Like

You're quite welcome! :blush:

Happy securing! :lock:

1 Like