Webroot --expand : a user error or a doc error?

Hi,

I have an already existing certs for 2 domain, done like this :

/root/bin/certbot-auto certonly --expand --email denis@example.net --webroot \
-w /home/example.net/htdocs/www -d www.example.net \
-w /home/example.net/htdocs/doli/htdocs -d doli.example.net

And then have :heart_eyes:

:/etc/letsencrypt# cat renewal/www.example.net.conf 
# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/www.example.net/cert.pem
privkey = /etc/letsencrypt/live/www.example.net/privkey.pem
chain = /etc/letsencrypt/live/www.example.net/chain.pem
fullchain = /etc/letsencrypt/live/www.example.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 89978d42325c7f16202ae7bf722c8064
authenticator = webroot
installer = None
webroot_path = /home/example.net/htdocs/www, /home/example.net/htdocs/dolibarr/htdocs
[[webroot_map]]
www.gsill.net = /home/example.net/htdocs/www
doli.gsill.net = /home/example.net/htdocs/dolibarr/htdocs

Seems OK, but then i try to expand actual cert with one server, then doing :

/root/bin/certbot-auto certonly --expand --email denis@example.net --webroot \
-w /home/example.net/htdocs/www -d www.example.net \
-w /home/example.net/htdocs/piwik -d piwik.example.net 

But : it take a second cert with :cry:

:/etc/letsencrypt# cat renewal/www.example.net-0002.conf 
# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/www.example.net-0002/cert.pem
privkey = /etc/letsencrypt/live/www.example.net-0002/privkey.pem
chain = /etc/letsencrypt/live/www.example.net-0002/chain.pem
fullchain = /etc/letsencrypt/live/www.example.net-0002/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 89978d42325c7f16202ae7bf722c8064
webroot_path = /home/example.net/htdocs/www, /home/example.net/htdocs/piwik
[[webroot_map]]
piwik.gsill.net = /home/example.net/htdocs/piwik
www.gsill.net = /home/example.net/htdocs/www

The only way to expand (with my method) an existing cert is to add ALL server in command line:

/root/bin/certbot-auto certonly --expand --email denis@example.net --webroot \
-w /home/example.net/htdocs/www -d www.example.net \
-w /home/example.net/htdocs/doli/htdocs -d doli.example.net \
-w /home/example.net/htdocs/piwik -d piwik.example.net

with this instruction certbot really expand www.example.net.conf and not create a new cert.

The user guide seems to show we can add only one server at the command line: :confused:

--expand              If an existing cert covers some subset of the
                      requested names, always expand and replace it with the
                      additional names. (default: False)

An error from me ? The doc ? Or a bug in certbot ? :scream_cat:

Thanks a lot.
PS : unsure for category : seems related top certbot, not really help ?

The explanation for --expand is indeed a bit hard to parse. Trying to come up with something better just gives me a headache, unfortunately. :unamused:

Basically, certbot works like this:

  • You always need to provide all the domains that should appear on the certificate, rather than just the ones that you want to add.
  • --expand only replaces an existing certificate if all the domains in the existing certificate also are included in your current certificate request. In other words, it won’t help you get rid of a subset of domains from an existing certificate, it’ll just be useful to add new ones.

Does that make sense? :confused:

1 Like

OK , the strange part is "existing cert covers some subset" , the some subset make me mad :slight_smile:.

Why not just

--expand              If an existing cert covers requested names,
                      always expand and replace it with the
                      additional names. (default: False)

removing the "some subset".

And some lines up in the manual :

(All of the domains covered by the certificate must be specified in this case in order to renew and replace the old certificate rather than obtaining a new one; don’t forget any www. domains! Specifying a subset of the domains creates a new, separate certificate containing only those domains, rather than replacing the original certificate, even with expand.)

Just adding "even with expand ". This part is not needed, just remove the some subset is really better.

Thanks a lot :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.