July 31, 2018
by puhfu
0 comments
So I needed to add a subdomain to an existing Let’s Encrypt certificate and you know, finding instructions was far harder than it was to actually do it.
Sources:
Certbot User Guide
How can I add more subdomains to my SSL Certificate?
I tried this:
$ cd /etc
$ sudo ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: sub2.domain.com
3: sub1.domain.com
4: domain2.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub2.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sub2.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub2.domain.com/.well-known/acme-challenge/
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
Which sent me down a hole learning about ACME challenges and where I created a new but separate cert for sub2.domain.com
but did not add it to the original cert which is the goal.
$ sudo ./certbot-auto certonly --webroot -w /var/www/html/sub2 -d sub2.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub2.domain.com
Using the webroot path /var/www/html/sub2 for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub2.domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub2.domain.com/privkey.pem
Your cert will expire on 2018-10-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
Finally, stumbled on a Let’s Encrypt community forum page that allowed me to put it together.
$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate fuweb.com to include new domain(s):
+ sub2.domain.com
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for domain2.org
http-01 challenge for sub2.domain.com
http-01 challenge for sub1.domain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2018-10-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
The money command:
$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com
Breaking it down:
certonly
grabs the certificate only
--webroot
uses the webroot plugin for http-01 authentication
-w
(the same as --webroot-path
) specifies the top-level directory containing files served by webserver
--cert-name
is the domain name of the cert to use (if a single cert for multiple domains, use the primary domain)
-d
specifies each of the domains you want to be included in the --cert-name
cert
And added a renewal to the crontab
$ sudo crontab -e
Then add:
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log