Certbot: Adding a new domain

Categories:  tech

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

execve.net uses Let’s Encrypt certificates and these are checked for renewal automatically once every week.

In case you do not use a wildcard certificate, you might want to occassionally add a new domain to your Let’s Encrypt certificate.

Adding a new domain to a certificate is extremely easy and the Let’s Encrypt clients do most of the heavy lifting. Below test was done on FreeBSD using certbot. We are using our existing webserver configuration and not using the standalone certbot webserver mode. This requires that you have configured your webserver to serve the new domain and also setup DNS accordingly.

Check your existing certificates

This step is needed since when you add a domain, you need to include all the existing domains to it.

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
   Certificate Name: execve.net
     Serial Number: 3f172e2121283483d12c172607bf892154bb
     Key Type: RSA
     Domains: execve.net www.execve.net
     Expiry Date: 2021-09-30 15:20:41+00:00 (VALID: 58 days)
     Certificate Path: /usr/local/etc/letsencrypt/live/execve.net/fullchain.pem
     Private Key Path: /usr/local/etc/letsencrypt/live/execve.net/privkey.pem
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Now add a new domain appl.execve.net. All the domains need to be listed and the first domain should be the primary domain the certificate has been issued to.

# certbot certonly --expand -d execve.net,www.execve.net,appl.execve.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Simulating renewal of an existing certificate for execve.net and 2 more domains
Input the webroot for execve.net: (Enter 'c' to cancel):

Certbot will now go ahead and ask for webroot values for each of the domains. Once this is done, then the certificate should be up to date with the new domain.

Note: You should use the --dry-run option to check if the certbot works exactly as you want it to.


Written on August 8, 2021