New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[enhancement] Add a subdomain to an existing certificate #2230

Closed
mlumbroso opened this Issue Jan 19, 2016 · 17 comments

Comments

Projects
None yet
10 participants
@mlumbroso
Copy link

mlumbroso commented Jan 19, 2016

Hi,

first, thanks for this awesome tool that helps the web moving to the right direction.

As many other users, I am stuck because of the certificate limit rate. On my website example.com users can generate their own platform myplatform.example.com

To activate https on the fly, I have to create a new certificate, which makes me reach the limit in no time.

I'm using this command :
./letsencrypt-auto certonly --agree-tos --email 'xxx@example.com' --webroot --webroot-path "/data/www-env/myplatform/public/" -d "myplatform.example.com" --debug

If I could add to an existing certificate the subdomain, it would be clearly a better option than this.
Any possibility to have this feature implemented? (Or a premium option for unlimited certificate issuance would also be a good solution).

Thanks for your amazing work,
Michael

@pfigel

This comment has been minimized.

Copy link
Contributor

pfigel commented Jan 20, 2016

It's not possible to retroactively add new subdomains to an existing certificate. Domains are part of the certificate and Let's Encrypt has to sign the entire certificate (otherwise anyone could just add any domain). You will have to request a new one.

Note that you can pass multiple -d arguments to the client, e.g.:
-d example.com -d www.example.com -d example.net

This would create a SAN certificate covering all three domains. SAN certificates increase the rate limit for each domain only by one, even if multiple subdomains are included. If you can somehow create your certificates in batches, this would be an option to work around the rate limits.

There's also a rate limit override request form being worked on, but no ETA on that yet.

The Community forum is generally a better place for questions like this.

@mlumbroso

This comment has been minimized.

Copy link
Author

mlumbroso commented Jan 20, 2016

Thanks for your answer, I know I can add multiple arguments, but if I have to regenerate a new certificate each time a platform is created with its subdomain, I will reach the limit after 5 platforms, so it's unusable...

Hopefully the rate limit will be gone soon.

Thanks

@rongarret

This comment has been minimized.

Copy link

rongarret commented Feb 21, 2016

Until you get the rate limit issue worked out, the client really ought to issue a BIG RED WARNING about it every time a new certificate is issued (and maybe even prompt "Are you sure you want to use up part of your quota? Maybe you should be using our staging server." unless --override-rate-limit-warning is specified or something like that) It's just way too easy right now to learn about the rate limit the hard way.

@vedranmiletic

This comment has been minimized.

Copy link

vedranmiletic commented May 22, 2016

It's not possible to retroactively add new subdomains to an existing certificate. Domains are part of the certificate and Let's Encrypt has to sign the entire certificate (otherwise anyone could just add any domain). You will have to request a new one.

But could you also re-validate newly added (sub)domains when they are added?

@pfigel

This comment has been minimized.

Copy link
Contributor

pfigel commented May 22, 2016

But could you also re-validate newly added (sub)domains when they are added?

OPs question was whether it's possible to add them after the fact without running into rate limits. Since adding a domain is the same operation as issuing a new certificate, the rate limits apply all the same. Expanding an existing certificate lineage is indeed possible with --expand, but that's still a new issuance event.

@strugee

This comment has been minimized.

Copy link
Contributor

strugee commented May 31, 2016

@mlumbroso are you expecting essentially unlimited subdomains? E.g. hundreds or thousands of users, each of which will have their own subdomain?

In this case, Let's Encrypt cannot help you. The solution is to acquire a wildcard cert.

@bmw

This comment has been minimized.

Copy link
Contributor

bmw commented Jun 2, 2016

I believe this question has been answered. It is not possible to add domains to a certificate after it has been issued by Let's Encrypt.

Since this issue seems resolved, I'm closing it. Post a comment yelling at me if you disagree and I'll consider reopening.

@bmw bmw closed this Jun 2, 2016

@ppKrauss

This comment has been minimized.

Copy link

ppKrauss commented Dec 21, 2016

@bmw, there are a simple way (unique command) to expand an existing certificate with certbot?

@ppKrauss

This comment has been minimized.

Copy link

ppKrauss commented Dec 21, 2016

Somebody say that it is impossible to add new certificate!, must redo... Is it? So: need to do without impact in other 20 domains in use...

@bmw

This comment has been minimized.

Copy link
Contributor

bmw commented Dec 21, 2016

certbot -d <domains> --expand

where <domains> is a comma delimited list of all domains you want in the certificate such as:

certbot -d example.org,www.example.org,another.example.org --expand

If you are not using the Apache or Nginx plugins, you should also include certonly on the command line.

@ppKrauss

This comment has been minimized.

Copy link

ppKrauss commented Dec 21, 2016

Hi @bmw , thanks! I will test.
Hum... @insightfuls commented that "--expand is a certbot option that we haven't implemented/don't support"... Make sense for you?

@newx

This comment has been minimized.

Copy link

newx commented May 3, 2017

make sure you pass --cert-name mycertname option.

certbot-auto certonly --cert-name mydomain.com.br --renew-by-default -a webroot -n --expand --webroot-path=/usr/share/nginx/html \
-d mydomain.com.br \
-d www.mydomain.com.br \
-d aaa1.com.br \
-d aaa2.com.br \
-d aaa3.com.br

To see which is your cert name use the following command:
certbot-auto certificates

@bytexro

This comment has been minimized.

Copy link

bytexro commented May 5, 2017

this would be useful for subdomains

@strugee

This comment has been minimized.

Copy link
Contributor

strugee commented May 6, 2017

@bytexro did you read this thread? Does --expand not do what you want?

@bytexro

This comment has been minimized.

Copy link

bytexro commented May 7, 2017

@strugee personally have not tested, but the comment from @ppKrauss says it's not yet implemented - I also didn't see any PR's in this issue.
Is that already in master and tagged in one of certbot versions?

@vedranmiletic

This comment has been minimized.

Copy link

vedranmiletic commented May 7, 2017

@bytexro --expand has been there for a while.

@ccurtin

This comment has been minimized.

Copy link

ccurtin commented Dec 28, 2018

Just a note about how nginx handled the server config when I did this, it added it directly to the config file /etc/nginx/sites-enabled/default so be aware of that if using nginx, the default will override any includes.

certbot -d <domains> --expand

where <domains> is a comma delimited list of all domains you want in the certificate such as:

certbot -d example.org,www.example.org,another.example.org --expand

If you are not using the Apache or Nginx plugins, you should also include certonly on the command line.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment