Workaround for 5 domain limit?

So, I have an apache server that aliases 5 domains. I just tried to add another ServerAlias and ran certbot to add my new domain, but it keeps failing to add it. It seems there is a limit of 5 domains…but I am not sure I understand…is that per server? Per virtual server? How can I add my 6th domain name so it is secured by cert like the others?

I should add that the message comes back to tell me that my cert WAS sucessfully expanded, but in the part above where it runs through lines like “tls-sni-01 challenge for xx.xx.net” all domains are listed EXCEPT my new one.

There is no workaround BUT there are an official solution use Subject Alternative Name (SAN) .

See expand usage in certbot

Unless I am misunderstanding you, I was using the expand command, but it failed. OR rather, it told me it succeeded, but it did not in fact as that domain is not active on my server for https. It seems to not allow any more domains on the cert.

What was the full command line you used while trying to expand the certificate?

The limit of domains per certificate is 100, 5 or 6 should be fine.

2 Likes

You didn’t put exact command :slight_smile:
Maybe you have same issue than me : [Resolved] Unable to expand an existing domain .

EDIT :
See after : seems same issue :slight_smile:

Here was the whole command and processing (domains changed to generic):

./certbot-auto --apache -d domain1.net -d mail.domain1.net -d mail.c.domain2.com -d mail.domain3.com -d mail.domain4.com -d mail.domain5.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain1.net.conf)

It contains these names: domain1.net, mail.c.domain2.com,
mail.domain3.com, mail.domain4.com, mail.domain1.net

You requested these names for the new certificate: domain1.net,
mail.domain1.net, mail.c.domain2.com, mail.domain3.com,
mail.domain4.com, mail.domain5.org.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain1.net
tls-sni-01 challenge for mail.c.domain2.com
tls-sni-01 challenge for mail.domain3.com
tls-sni-01 challenge for mail.domain4.com
tls-sni-01 challenge for mail.domain1.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://domain1.net,
https://mail.domain1.net, https://mail.c.domain2.com,
https://mail.domain4.com, https://mail.domain3.com, and
https://mail.domain5.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain1.net
https://www.ssllabs.com/ssltest/analyze.html?d=mail.domain1.net
https://www.ssllabs.com/ssltest/analyze.html?d=mail.c.domain2.com
https://www.ssllabs.com/ssltest/analyze.html?d=mail.domain4.com
https://www.ssllabs.com/ssltest/analyze.html?d=mail.domain3.com
https://www.ssllabs.com/ssltest/analyze.html?d=mail.domain5.org
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert
   will expire on 2017-04-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again with
   the "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

If you’ve recently acquired a separate certificate for the 5th domain with the same account key, the challenge might be skipped. Could you check if the new domain actually appears on the certificate? Here’s the openssl command you can use for that:

openssl x509 -text -noout -in /etc/letsencrypt/live/domain1.net/cert.pem | grep DNS

That command shows the five original domains, but not my new one…

Thanks for the reply, but if I am reading your issue correctly, you had a DNS propagation problem? I have checked most of the servers and it seems my domain that I am trying to add IS resolving so I don’t think that is the issue, although I could wait and try later today to be sure to rule that out as a cause.

No DNS propagation, no DNS in fact …

Previously , i do the same error , and receive error if dns is bad.

Another issue seems related : Expands not working on pre-existing cert requests

Could you post the output of the following two commands?

ls -l /etc/letsencrypt/live
ls -l /etc/letsencrypt/live/domain1.net

Sure:

total 4
drwxr-xr-x 2 root root 4096 Jan 13 13:24 domain1.net

and

total 0
lrwxrwxrwx 1 root root 41 Jan 13 13:24 cert.pem -> ../../archive/domain1.net/cert10.pem
lrwxrwxrwx 1 root root 42 Jan 13 13:24 chain.pem -> ../../archive/domain1.net/chain10.pem
lrwxrwxrwx 1 root root 46 Jan 13 13:24 fullchain.pem -> ../../archive/domain1.net/fullchain10.pem
lrwxrwxrwx 1 root root 44 Jan 13 13:24 privkey.pem -> ../../archive/domain1.net/privkey10.pem

That looks fine. I’m leaning towards this being a bug, perhaps introduced with the latest update from two days ago. I’m pretty sure this used to work.

One more thing worth trying would be to try to just run ./certbot-auto, without any other arguments. The apache plugin should be able to get the domain list from your ServerName and ServerAlias directives and offer to expand the existing certificate once you pick your vhost. Perhaps whatever is triggering this issue is specific to domains provided via command-line arguments.

Thanks I just tried ./certbot-auto alone, and alas, same problem. It finds my new domain and everything SEEMS to go fine (except for the tls-sni-01 challenge missing for the new domain) and yet…the cert is not working on that domain.

Thanks, I was able to reproduce this. Reported on GitHub:

4 Likes

Thanks for reporting the bug @ssuess, and thanks to @pfg for reproducing and reporting! The Certbot team fixed it and released a new version (0.10.1) this afternoon with the fix. Let us know if you have any problems with it.

1 Like

Just tested it and it works! Fixed! Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.