So I needed to add a subdomain to an existing Let’s Encrypt certificate and you know, finding instructions was far harder than it was to actually do it.
Sources:
Certbot User Guide
How can I add more subdomains to my SSL Certificate?
I tried this:
$ cd /etc $ sudo ./certbot-auto Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: domain.com 2: sub2.domain.com 3: sub1.domain.com 4: domain2.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 2 Obtaining a new certificate Performing the following challenges: http-01 challenge for sub2.domain.com Waiting for verification... Cleaning up challenges Failed authorization procedure. sub2.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub2.domain.com/.well-known/acme-challenge/"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p"
Which sent me down a hole learning about ACME challenges and where I created a new but separate cert for sub2.domain.com but did not add it to the original cert which is the goal.
$ sudo ./certbot-auto certonly --webroot -w /var/www/html/sub2 -d sub2.domain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for sub2.domain.com Using the webroot path /var/www/html/sub2 for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sub2.domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sub2.domain.com/privkey.pem Your cert will expire on 2018-10-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
Finally, stumbled on a Let’s Encrypt community forum page that allowed me to put it together.
$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You are updating certificate fuweb.com to include new domain(s): + sub2.domain.com You are also removing previously included domain(s): (None) Did you intend to make this change? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (U)pdate cert/(C)ancel: u Renewing an existing certificate Performing the following challenges: http-01 challenge for domain.com http-01 challenge for domain2.org http-01 challenge for sub2.domain.com http-01 challenge for sub1.domain.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2018-10-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
The money command:
$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com
Breaking it down:
certonly grabs the certificate only
--webroot uses the webroot plugin for http-01 authentication
-w (the same as --webroot-path) specifies the top-level directory containing files served by webserver
--cert-name is the domain name of the cert to use (if a single cert for multiple domains, use the primary domain)
-d specifies each of the domains you want to be included in the --cert-name cert
And added a renewal to the crontab
$ sudo crontab -e
Then add:
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log