Adding a new subdomain to a Let's Encrypt SSL certificate
August 6, 2017 (Last updated: March 18, 2018)
August 6, 2017 (Last updated: March 18, 2018)
Let’s Encrypt now supports wildcard certificats, and there is an updated post on Atomic Writing called “Using a wildcard domain specification with a Let’s Encrypt SSL certificate” that goes over how to get a Let’s Encrypt wildcard certificate.
In January of 2018, Let’s Encrypt will begin supporting wildcard certificates. Until then, it’s still necessary to update a certificate file in order to add any new subdomains.
This blog post is largely intended as a note to self about how to update my Let’s Encrypt certificate for my personal website. But if you, like me, find yourself in the position of needing to expand your certificate to include another subdomain, hopefully you will find this post helpful.
The first thing you will want to do is get some information about your certificate, you can do this by running the following command:
sudo certbot certificates
This should give you some informative output about the certificates that
you’ve installed with certbot. The output should look something like
this:
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: example.org
Domains: example.org,git.example.org,shiny.example.org
Expiry Date: 2017-11-14 22:10:00+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/example.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.org/privkey.pem
-------------------------------------------------------------------------------
You’ll want to use the certonly subcommand for certbot to modify
your certificate. You can specify which certificate with the
--cert-name flag. You’ll also need to specify the --webroot-path (or
-w, for short), indicating where the files for the website actually
live. If this is multiple locations, you can use the -w flag multiple
times (see the manual pages for more information).
The next thing you’ll want to do is indicate the domains for the certificate; this includes all of the domains for which the certificate is already valid as well as any new domains that you want to add to the certificate.
For example, say that you wanted to add the subdomain svn.example.org
to the example.org certificate above. You can specify all old domains
and the new domain using the --domains flag (or -d, for short). You
can either specify the domains with the -d flag as a comma-separated
list, or you can use multiple -d flags. Finally, since you’re adding a
new subdomain, you’ll also want to give the --expand flag to the
command.
Thus, putting it all together, you should run the following command to
add svn.example.org to your example.org certificate:
sudo certbot certonly --cert-name example.org -w /var/www/example -d example.org,git.example.org,shiny.example.org,svn.example.org --expand
You will be prompted about how you’d like to authenticate:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
For this, I usually choose the second option.
Then, you’ll also be prompted about whether you really meant to add new domains to the certificate:
-------------------------------------------------------------------------------
You are updating certificate example.org to include domains: example.org,
git.example.org, shiny.example.org, svn.example.org
It previously included domains: example.org, git.example.org,
shiny.example.org
Did you intend to make this change?
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel:
Since this update is intentional, type U and hit ENTER.
Finally, restart your web server. In my case, I
use nginx, so restarting it looks like
this:
sudo /etc/init.d/nginx restart
Feel free to comment with any questions! I’m happy to try to help out as best I can. 🤓 However, like I said, this particular post is largely intended as a note to self, and some aspects of this process are dependent on your particular setup; nonetheless, I’m happy to help if I can!