Webroot using CSR



I’m trying to get some consistancy as to the common name on my certificate when expanding it. I read here Common Name change after using --expand flag that there is a problem where the common name assigned is random, but that can currently be overcome by using a csr. Could somebody explain to me exactly how I would go about this as I cannot find any documentation about using a csr?



Hello @Inyourbox,

Keep in mind that this common name issue should be solved on next letsencrypt client version 0.6.0 so maybe it’s worth to wait to renew your certs.

Anyway, to issue a cert using your own csr you should.


1.- Create your own private key.
2.- Create your csr file.
3.- Use letsencrypt-auto to request your cert using your previously created csr.
4.- Copy the key and issued cert (cert, chain and/or fullchain) to the right place to be used by your web server, mail server, etc.


1 & 2.- Both steps could be performed in just 1 step. In this example I will create a private key using 4096 bits and its name will be mydomain.tld.pem.key. I will create a certificate request for domain mydomain.tld and www.mydomain.tld where mydomain.tld will be the common name. This csr request file will have the name mydomain.tld.der.csr.

openssl req -sha256 -nodes -new -newkey 4096 -keyout mydomain.tld.pem.key -out mydomain.tld.der.csr -outform der -subj "/CN=mydomain.tld" -reqexts SAN -config <(echo -e "[req]\ndistinguished_name=mydomain.tld\n[mydomain.tld]\n[SAN]\nsubjectAltName=DNS:mydomain.tld,DNS:www.mydomain.tld")

You could check your csr file using this command:

openssl req -inform der -in mydomain.tld.der.csr -noout -text

3.- Use letsencrypt-auto to issue your cert using certonly and webroot.

/path/to/letsencrypt-auto certonly --text --non-interactive --email youruser@mydomain.tld --renew-by-default --agree-tos --csr mydomain.tld.der.csr --webroot --webroot-path /path/to/mydomain.tld/root/document

In case mydomain.tld and www.mydomain.tld don’t have the same document root you should use option --webroot-map instead of --webroot-path

/path/to/letsencrypt-auto certonly --text --non-interactive --email youruser@mydomain.tld --renew-by-default --agree-tos --csr mydomain.tld.der.csr --webroot --webroot-map '{"mydomain.tld":"/path/to/mydomain.tld/root/document", "www.mydomain.tld":"/path/to/www.mydomain.tld/root/document"}'

Note: I recommend that you use first the letsencrypt-auto client using the --dry-run option to check that all will work as expected, once you get no errors you could remove --dry-run option. Also, you can try to issue your cert in staging server adding option --test-cert before issuing it against production.

4.- If the process ended ok, you will get 3 files:

0000_cert.pem is your new and signed certificate.
0000_chain.pem is the Let’s Encrypt intermediate cert.
0001_chain.pem is the full chain, it includes both files 0000_cert.pem and 0000_chain.pem

Bear in mind that you already created the private key and should be there with name mydomain.tld.pem.key

Now you should configure your server (web, mail, imap, …) to point to the required files.

I hope this helps.



That’s an incredible reply, sahsanu!

Even though it doesn’t directly relate to my situation, it’s looks incredibly useful and I might be able to use parts of it in the future.

I’m definitely keeping a copy handy, thanks!


Thanks for the detailed explanation sahsanu, it’s greatly appreciated! :grin:



I have tried using the commands given by @sahsanu, but on the last command when running Lets Encrypt I get the following error:

letsencrypt: error: argument --csr: No such file or directory

Any ideas as to what I’m doing wrong?



Hi @Inyourbox,

If you receive that error is because:

1.- The csr file name you are using is not correct.
2.- If you are executing letsencrypt-auto from another dir, you should specify the full path to your csr --csr /full/path/to/yourcsrfile instead of --csr yourcsrfile