166

I am just simply trying to add the domain test.example.com to the certificate that already exists for example.com. How do I add a domain to my existing certificate and replace the old certificate?

I have tried these few commands

./letsencrypt-auto certonly --cert-path /etc/letsencrypt/archive/example.com --expand -d test.example.com ./letsencrypt-auto certonly -d example.com --expand -d test.example.com

Result: both created a brand new cert in a new folder test.example.com-0001

./letsencrypt-auto certonly --renew-by-default --expand -d test.example.com

Result: error folder test.example.com already exists.

./letsencrypt-auto renew --expand -d orange.fidka.com

Result: error, I can only renew if my certificate is expired.

Improve this question
2
  • 2
    This question has been reopened on Super User: superuser.com/questions/1432541/… Commented May 3, 2019 at 12:51
  • 3
    To anyone now viewing this question: I would recommend having a look at the answer on superuser. It uses certbot --expand which is closer to what this question is asking imo Commented Oct 22, 2019 at 4:32

6 Answers 6

Reset to default
167

You need to specify all of the names, including those already registered.

I used the following command originally to register some certificates:

/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \ --email [email protected] \ --expand -d example.com,www.example.com

... and just now I successfully used the following command to expand my registration to include a new subdomain as a SAN:

/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \ --expand -d example.com,www.example.com,click.example.com

From the documentation:

--expand "If an existing cert covers some subset of the requested names, always expand and replace it with the additional names."

Don't forget to restart the server to load the new certificates if you are running nginx.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

The command changed slightly to certbot-auto certonly -a webroot ...
does it work for standalone plugin?
When I use the above, it creates a new cert on it's own, with a -001 at the end.
Ran it on production, expand does not seem to require any visible down time. I used certbot-auto
@simon-hampel When the SSL Certificate is expanded, does it extend the expire date for all the domains that are defined in the list.
|
58

Apache on Ubuntu, using the Apache plugin:

sudo certbot certonly --cert-name example.com -d m.example.com,www.m.example.com

The above command is vividly explained in the Certbot user guide on changing a certificate's domain names. Note that the command for changing a certificate's domain names applies to adding new domain names as well.

As mentioned in the comments, if you are just adding to existing certificates, you need to add the existing domain again - or it will be removed.

Edit

If running the above command gives you the error message

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

follow these instructions from the Let's Encrypt Community

Improve this answer

3 Comments

It is probably mentioned in the documentation but if you are just adding to existing you need to add the existing domain again - or it will be removed
they also have the --expand option that you initially think it allows you to add while keeping existent domains, but it doesn't do that (facepalm). I don't really like their options or documentation.
Yes would be nice if the output of certbot certificates gave you a comma separated list of domains that could be copy/pasted. Instead I have to copy it and then convert spaces to commas. Not very user friendly
43

This is how i registered my domain:

sudo letsencrypt --apache -d mydomain.com

Then it was possible to use the same command with additional domains and follow the instructions:

sudo letsencrypt --apache -d mydomain.com,x.mydomain.com,y.mydomain.com
Improve this answer

2 Comments

i just replaced letsencrypt with ./certbot-auto and it works! Command ./certbot-auto --nginx -d domain1.com,domain2.com ask if i want to expand existing cert and does the job.
Thanks. It saves my time. I run ./letsencrypt-auto --debug -d new-domain.com -d new-alias.com
5

You can replace the certificate by just running the certbot again with ./certbot-auto certonly

You will be prompted with this message if you try to generate a certificate for a domain that you have already covered by an existing certificate:

------------------------------------------------------------------------------- You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/<domain>.conf) It contains these names: <domain> You requested these names for the new certificate: <domain>, <the domain you want to add to the cert>. Do you want to expand and replace this existing certificate with the new certificate? -------------------------------------------------------------------------------

Just chose Expand and replace it.

Improve this answer

Comments

5

I was able to setup a SSL certificated for a domain AND multiple subdomains by using using --cert-name combined with --expand options.

See official certbot-auto documentation at https://certbot.eff.org/docs/using.html

Example:

certbot-auto certonly --cert-name mydomain.com.br \ --renew-by-default -a webroot -n --expand \ --webroot-path=/usr/share/nginx/html \ -d mydomain.com.br \ -d www.mydomain.com.br \ -d aaa1.com.br \ -d aaa2.com.br \ -d aaa3.com.br
Improve this answer

Comments

4

this worked for me 

 sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d domain.com -d www.domain.com
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.