Let's Encrypt certificates allow the creation of SAN (Subject Alternative Names) certificates, which contain multiple domain names or sub domains:
root@linux ~ # certbot -n certonly --expand --webroot -w /var/www/letsencrypt -d www.example.com -d example.com -d beta.example.com -d my.example.com
The certificate can then be listed using certbot certificates:
root@linux ~ # certbot certificates
[...]
Found the following certs:
Certificate Name: www.example.com
Domains: www.example.com beta.example.com my.example.com example.com
Expiry Date: 2022-01-21 16:00:45+00:00 (VALID: 4 days)
Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem
[...]
Note: the certificate name (identifier) is usually the first domain in the list.
The automatic renewal process (certbot renew) is applied for all domains in that certificate. But if one of the domains in the list fails, the renewal doesn't work:
2022-01-17 07:21:30,723:WARNING:certbot.renewal:Attempting to renew cert (www.example.com) from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: Failed authorization procedure. beta.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beta.example.com/.well-known/acme-challenge/U4ixi_WUxNDKSDdYxhwvsAe-gt92PFhy493SCmJFGHg [xxx.xxx.xxx.xxx]: "\n\n\n<!DOCTYPE html>\n<html>\n <head>\n <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\">\n <meta http-equi". Skipping.
In this particular situation, the beta.example.com sub domain had a DNS change and now points to a different IP. Therefore the Let's Encrypt ACME bot was unable to verify the domain - leading to a renewal error for the whole certificate.
To remove a (sub-) domain from the certificate, use the --cert-name parameter with the certificate name identifier and simply only list the other (remaining) domains:
root@linux ~ # certbot -n certonly --cert-name www.example.com --expand --webroot -w /var/www/letsencrypt -d www.example.com -d my.example.com -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
Your cert will expire on 2022-04-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
As the beta sub domain was not listed with the -d parameter, this tells certbot to remove the beta sub domain from the certificate. This can be verified using certbot certificates again:
root@linux ~ # certbot certificates --cert-name www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:
Certificate Name: www.example.com
Domains: www.example.com my.example.com example.com
Expiry Date: 2022-04-17 09:33:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder