X Marks the Spot

random commentary on life, the universe, and anything

Adding a subdomain to a LetsEncrypt certificate

| 0 comments

So I needed to add a subdomain to an existing Let’s Encrypt certificate and you know, finding instructions was far harder than it was to actually do it.

Sources:
Certbot User Guide
How can I add more subdomains to my SSL Certificate?

I tried this:

$ cd /etc
$ sudo ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: sub2.domain.com
3: sub1.domain.com
4: domain2.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub2.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sub2.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub2.domain.com/.well-known/acme-challenge/ 
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"


Which sent me down a hole learning about ACME challenges and where I created a new but separate cert for sub2.domain.com but did not add it to the original cert which is the goal.

$ sudo ./certbot-auto certonly --webroot -w /var/www/html/sub2 -d sub2.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub2.domain.com
Using the webroot path /var/www/html/sub2 for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub2.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub2.domain.com/privkey.pem
   Your cert will expire on 2018-10-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"


Finally, stumbled on a Let’s Encrypt community forum page that allowed me to put it together.

$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate fuweb.com to include new domain(s):
+ sub2.domain.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for domain2.org
http-01 challenge for sub2.domain.com
http-01 challenge for sub1.domain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.com/privkey.pem
   Your cert will expire on 2018-10-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

The money command:

$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com


Breaking it down:
certonly grabs the certificate only
--webroot uses the webroot plugin for http-01 authentication
-w (the same as --webroot-path) specifies the top-level directory containing files served by webserver
--cert-name is the domain name of the cert to use (if a single cert for multiple domains, use the primary domain)
-d specifies each of the domains you want to be included in the --cert-name cert

And added a renewal to the crontab

$ sudo crontab -e


Then add:

30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.