I created my licenses using www.mydomain.online. Of course it works well BUT if someone types mydomain.online it shows the certificate is not to be trusted.
I’m guessing I should have licensed it without the www.
Can I correct this, if so how?
We refer to the documents that are issued by Let’s Encrypt as certificates rather than licenses.
A single certificate can cover more than one name (in fact, up to 100 names). As you noticed, example.com and www.example.com are regarded as separate names, and covering one does not automatically mean covering the other.
Depending on what software or method you used to request your certificate, there should be a way to list multiple names that the certificate will cover. You should be able to request a new certificate that covers both www.mydomain.online and mydomain.online. That certificate will then work regardless of whether or not a user typed the
www. before your domain name. If you don’t happen to know how to obtain a certificate that covers more than one name, please let us know what method you’re using to get your certificates and we can see if someone on the forum knows how to advise you.
Thanks so much for the really quick reply.
I’m using th built in functionality of TSPlus to work with your certification process.
I entered both domain names separated with a comma and that did not work. SO I ran the process again just for the mydomain.online and now I have 2 certifications, 1 for each domain name. Is this ok? Will both renew?
Again, thanks so much
I don’t know how they handle automated renewals, but with other software, this should generally be totally fine. It’s not the most elegant way to do it, but it’s fine with respect to technical standards and CA policies.
I’ve got it to work for both now.
Is there only one certificate? Because I did it separately for both I have a certificate for each one.
Can I delete 1 certificate and only keep the most recent which works for both?
Get Outlook for Androidhttps://aka.ms/ghei36
It’s likely that there are two different certificates and you’ll need both of them. If you look at each certificate in your browser’s developer tools or via https://crt.sh/, you can see which names it covers or doesn’t cover.
I did get a certificate to cover both it seems, yea! I deleted the oldest certificate and all seems to be fine.
Thanks for all your help.
One thing I want to point out that seems to confuse a lot of people in this situation is that you will probably get a reminder e-mail from Let’s Encrypt when your old certificate is about to expire. If you replaced a certificate with a larger certificate, Let’s Encrypt does not know that one was necessarily meant as a replacement for another, as opposed to the possibility that they’re independent and perhaps being used on separate servers. In that case, an expiration warning e-mail is still generated for the smaller certificate when it’s about to expire, even though you in practice don’t need to renew it because you can simply renew the larger certificate.
You can safely ignore this renewal warning e-mail if it relates to a certificate that you are no longer using.
@schoen wouldn’t have expanding the existing certificate been a better solution?
Expanding the existing certificate is implemented as obtaining a new larger certificate and saving it in place of the old certificate. I agree that this is a good approach, but I didn’t know if @grathke was using a client like Certbot or not. This ultimately only affects what the resulting certificate is called on disk, and doesn’t affect how the certificate appears to end-users visiting the site (and also doesn’t affect the e-mail reminder issue, because currently the ACME protocol used between the Let’s Encrypt client and the Let’s Encrypt CA doesn’t include any way to indicate how the request relates to a prior certificate—so there is no way to say within ACME “this certificate is actually replacing that other certificate”).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.