Letsencrypt add domain to existing certificate
Solution 1
You need to specify all of the names, including those already registered.
I used the following command originally to register some certificates:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--email [email protected] \
--expand -d example.com,www.example.com
... and just now I successfully used the following command to expand my registration to include a new subdomain as a SAN:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--expand -d example.com,www.example.com,click.example.com
From the documentation:
--expand "If an existing cert covers some subset of the requested names, always expand and replace it with the additional names."
Don't forget to restart the server to load the new certificates if you are running nginx.
Solution 2
Apache on Ubuntu, using the Apache plugin:
sudo certbot certonly --cert-name example.com -d m.example.com,www.m.example.com
The above command is vividly explained in the Certbot user guide on changing a certificate's domain names. Note that the command for changing a certificate's domain names applies to adding new domain names as well.
Edit
If running the above command gives you the error message
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
follow these instructions from the Let's Encrypt Community
Solution 3
This is how i registered my domain:
sudo letsencrypt --apache -d mydomain.com
Then it was possible to use the same command with additional domains and follow the instructions:
sudo letsencrypt --apache -d mydomain.com,x.mydomain.com,y.mydomain.com
Solution 4
You can replace the certificate by just running the certbot again with ./certbot-auto certonly
You will be prompted with this message if you try to generate a certificate for a domain that you have already covered by an existing certificate:
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/<domain>.conf)
It contains these names: <domain>
You requested these names for the new certificate: <domain>,
<the domain you want to add to the cert>.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
Just chose Expand
and replace it.
Solution 5
I was able to setup a SSL certificated for a domain AND multiple subdomains by using using --cert-name
combined with --expand
options.
See official certbot-auto documentation at https://certbot.eff.org/docs/using.html
Example:
certbot-auto certonly --cert-name mydomain.com.br \
--renew-by-default -a webroot -n --expand \
--webroot-path=/usr/share/nginx/html \
-d mydomain.com.br \
-d www.mydomain.com.br \
-d aaa1.com.br \
-d aaa2.com.br \
-d aaa3.com.br
Related videos on Youtube
Jeff Davenport
Updated on May 04, 2020Comments
-
Jeff Davenport about 4 years
I am just simply trying to add the domain
test.example.com
to the certificate that already exists forexample.com
. How do I add a domain to my existing certificate and replace the old certificate?I have tried these few commands
./letsencrypt-auto certonly --cert-path /etc/letsencrypt/archive/example.com --expand -d test.example.com ./letsencrypt-auto certonly -d example.com --expand -d test.example.com
Result: both created a brand new cert in a new folder test.example.com-0001
./letsencrypt-auto certonly --renew-by-default --expand -d test.example.com
Result: error folder test.example.com already exists.
./letsencrypt-auto renew --expand -d orange.fidka.com
Result: error, I can only renew if my certificate is expired.
-
Mike Godin about 5 yearsThis question has been reopened on Super User: superuser.com/questions/1432541/…
-
Jesse Reza Khorasanee over 4 yearsTo anyone now viewing this question: I would recommend having a look at the answer on superuser. It uses
certbot --expand
which is closer to what this question is asking imo
-
-
tsusanka over 7 yearsThe command changed slightly to
certbot-auto certonly -a webroot ...
-
hjl over 7 yearsdoes it work for standalone plugin?
-
KhoPhi about 7 yearsWhen I use the above, it creates a new cert on it's own, with a
-001
at the end. -
Ray Foss almost 7 yearsRan it on production, expand does not seem to require any visible down time. I used certbot-auto
-
George over 6 yearsi just replaced
letsencrypt
with./certbot-auto
and it works! Command./certbot-auto --nginx -d domain1.com,domain2.com
ask if i want to expand existing cert and does the job. -
Ersin Demirtas over 6 years@simon-hampel When the SSL Certificate is expanded, does it extend the expire date for all the domains that are defined in the list.
-
Simon Hampel over 6 years@ErsinDemirtas - it's been a while since I had to do this, but I'm pretty sure it creates a brand new certificate, so you get the full 90 day expiry
-
Nguyen Van Vinh almost 6 yearsThanks. It saves my time. I run
./letsencrypt-auto --debug -d new-domain.com -d new-alias.com
-
Rob over 5 yearsIt is probably mentioned in the documentation but if you are just adding to existing you need to add the existing domain again - or it will be removed
-
adrianTNT over 2 yearsthey also have the
--expand
option that you initially think it allows you to add while keeping existent domains, but it doesn't do that (facepalm). I don't really like their options or documentation. -
jcomeau_ictx over 2 yearsdidn't work for me. it made a completely new cert instead of updating the existing one.
-
Andrew over 2 yearsNotice that there must be NO SPACE between domain1 comma and domain2: .... -d example.com,www.example.com