Unable to expand existing certificate

wrknight · May 9, 2020, 9:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: musingsofamaverick.org

I ran this command: certbot --expand -d musingsofamaverick.org,musingsofamaverick.blog

It produced this output: Certbot doesn’t know how to automatically configure the web server on this system.

My web server is (include version): nginx 1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot version 0.31.0

JuergenAuer · May 9, 2020, 9:43pm

Hi @wrknight

checking your domain via musingsofamaverick.org - Make your website better - DNS, redirects, mixed content, certificates - you use already a new certificate with both domain names:

CN=musingsofamaverick.org
	22.04.2020
	21.07.2020
expires in 73 days	musingsofamaverick.org, www.musingsofamaverick.org - 2 entries

Both connections (non-www and www) are secure.

Looks like that error message isn't relevant.

wrknight · May 10, 2020, 2:50pm

Unfortunately, that is not the problem. The problem was the failure to expand the coverage of the certificate to include the new domains musingsofamaverick.blog and www.musingsofamaverick.blog. Following the instructions in using the command certbot --expand, I received the error message above and my certificate does not cover the new domain names.

The subdomains www were actually included for both domains in the the original instruction so that there should now be four domain names covered by the certificate.

JuergenAuer · May 10, 2020, 4:43pm

Have all 4 domain names the same content?

If yes, do you have one vHost with all 4 domain names?

If not, Certbot doesn't understand how to create a port 443 vHost.

There

https://certbot.eff.org/docs/using.html

--expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains. With the --expand option, use the -d option to specify all existing domains and one or more new domains.

So you have to add all domains with -d.

wrknight · May 10, 2020, 6:06pm

All 4 domain names are for the same website. Essentially they are aliases that should point to the same content. They are:
musingsofamaverick.org, www.musingsofamaverick.org, musingsofamaverick.blog, www.musingsofamaverick.blog

To the best of my knowledge, I do not have a virtual host.

The instructions you cite are the instructions I followed. I am not sure what you mean by the last sentence as I only entered -d once at the beginning of the domain name list. I did not enter -d before each domain name.

JimPas · May 10, 2020, 6:17pm

That has to be entered before each domain name.

wrknight · May 10, 2020, 7:32pm

That didn’t work either. Same error message.

JuergenAuer · May 10, 2020, 7:37pm

That's the reason Certbot doesn't know how to create a port 443 vHost.

The port 80 template is missing. Create one.

wrknight · May 10, 2020, 7:40pm

Help me out here. I have no idea what a port 80 template is or how to create one.

Also, I don’t understand why that would affect the new domain names and not the existing domain names.

wrknight · May 10, 2020, 8:38pm

Attempting to use the command certbot --nginx I get the message "the requested nginx plugin does not appear to be installed.

So my next question is, how do I install it at this point?

wrknight · May 10, 2020, 8:54pm

New info.

Looking at my installed certbot packages with Synaptic I find that only certbot and python3-certbot are installed. Python-cerbot-nginx does not appear to be installed.

Any recommendations?

JimPas · May 10, 2020, 9:24pm

You will have to get your first problem fixed first. Then you can add the domains as above.

wrknight · May 10, 2020, 9:59pm

It would appear I have a number of problems. Which one do I fix first, and how do I go about it?

wrknight · May 11, 2020, 3:50pm

Problem solved.

To solve the problem on my LEMP server all I had to do was to install the nginx plugin and re-run the --expand command. Since certbot was already installed all I had to do was run

sudo apt install python-certbot-nginx pytthon-certbot-nginx-doc

after that was completed, I ran

sudo certbot --expand -d olddomain,newdomain

and my certificate was expanded to include the new domain. (It was not necessary to put the -d in front of every domain name. I just separated each domain name with a comma and no space.)

Afterwards, I ran

sudo service nginx restart

to restart nginx with the revised info.

JimPas · May 11, 2020, 4:50pm

Thanks. I'll remember that. Glad to see you got up and running!

Topic		Replies	Views
Adding domains to current certificate Server	9	6746	September 19, 2017
Can't expand certs to other subdomains Help	10	1281	January 22, 2022
Certbot fails when trying to expand certificate for more than one subdomain Help	7	3011	September 15, 2021
I'm trying to add a new domain to an existing certificate Help	3	106	September 19, 2025
Expanding cert for additional domains under nginx	20	7154	February 10, 2019

Unable to expand existing certificate

Related topics