Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--expand not properly documented. #3664

Closed
SamMousa opened this issue Oct 20, 2016 · 14 comments
Closed

--expand not properly documented. #3664

SamMousa opened this issue Oct 20, 2016 · 14 comments

Comments

@SamMousa
Copy link

@SamMousa SamMousa commented Oct 20, 2016

From the docs:

  --expand              If an existing cert covers some subset of the
                        requested names, always expand and replace it with the
                        additional names. (default: False)

Existing certificate has: example.com and www.example.com.
Works:
letsencrypt-auto --expand --force-renewal certonly -d example.com -d test.example.com -d www.example.com

Doesn't work:
letsencrypt-auto --expand certonly -d example.com -d test.example.com

Note that there are 2 differences between these commands:

  1. --force-renewal, I replicated what I used to get it to work; but this is a prod server so I'm hesitant to retry and risk getting rate limited.
  2. We are not listing all existing domains on the existing certificate.

The issue is that 2 should not be a problem according to docs. Even more so, expanding should always expand if any certificate exists. "If an existing certificate covers some subset of the requested names...", the empty subset is always covered and requested. Also what if an existing certificate covers a superset of the requested names ("covers" to me suggests that would be fine)? It should then expand and add the newly requested domains.

In conclusion:

  1. Does --expand work without --force-renewal?
  2. Can I match an existing certificate by just specifying a subset of covered domains?
@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented Oct 20, 2016

Yes you can use --expand without --force-renewal. The problem is that you're not listing all domains in the existing certificate. Perhaps we should change the documentation for this flag to say "If an existing cert is a subset of the requested names...".

Also what if an existing certificate covers a superset of the requested names ("covers" to me suggests that would be fine)? It should then expand and add the newly requested domains.

In this case, Certbot would create a new directory in /etc/letsencrypt/live for the certificate. I believe this problem is also resolved if we change "covers" to "is a".

Honestly, the --expand flag is a bit clunky and supporting use cases like this should be a lot easier in our next release. See #3615 for what we're planning to do.

@SwartzCr

This comment has been minimized.

Copy link
Contributor

@SwartzCr SwartzCr commented Mar 24, 2017

tagging @pconrad-fb who might want to add documentation for this in his lineage docuementation

@SwartzCr

This comment has been minimized.

Copy link
Contributor

@SwartzCr SwartzCr commented Mar 24, 2017

actually, since #3615 has landed, where does the state of this issue stand, @bmw is it closable?

@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented Apr 12, 2017

No this isn't closable, however, it's just about changing the help for --expand in Certbot.

@SwartzCr

This comment has been minimized.

Copy link
Contributor

@SwartzCr SwartzCr commented Apr 12, 2017

got it - opened a PR

@SwartzCr

This comment has been minimized.

Copy link
Contributor

@SwartzCr SwartzCr commented Apr 12, 2017

it's #4495

@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented Apr 13, 2017

Fixed in #4495.

@bmw bmw closed this Apr 13, 2017
@pconrad-fb

This comment has been minimized.

Copy link
Contributor

@pconrad-fb pconrad-fb commented Apr 13, 2017

Looking at the doc, I see the following for --expand:

--expand tells Certbot to update an existing certificate with a new
certificate that contains all of the old domains and one or more additional
new domains.

Should I add the following: "With the --expand option, use the -d option to specify the new domain, and also state each existing domain with the -d option."

?

@SwartzCr

This comment has been minimized.

Copy link
Contributor

@SwartzCr SwartzCr commented Apr 14, 2017

@bmw thoughts?

@bmw bmw added this to the 0.14.0 milestone Apr 17, 2017
@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented Apr 17, 2017

Yep. SGTM!

@SwartzCr

This comment has been minimized.

Copy link
Contributor

@SwartzCr SwartzCr commented Apr 17, 2017

@pconrad-fb if you want to make a PR with that change I'd be happy to review and merge it :D

@pconrad-fb

This comment has been minimized.

Copy link
Contributor

@pconrad-fb pconrad-fb commented Apr 17, 2017

I'm looking at the docs, and it seems like you can use -d with a comma-delimited list of domains. Is this true? I'd like to put an example in the docs, because I think the behavior is confusing. Which of the following, if any, is correct?

certbot -renew --expand -d existing.com,example.com,newdomain.com

certbot -renew --expand -d existing.com -d example.com -d newdomain.com

certbot --expand -d existing.com,example.com,newdomain.com

certbot --expand -d existing.com -d example.com -d newdomain.com

@pconrad-fb

This comment has been minimized.

Copy link
Contributor

@pconrad-fb pconrad-fb commented Apr 21, 2017

Sorry, forgot to @mention for visibility: @schoen @SwartzCr see above comment for a syntax question.

@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented May 16, 2017

certbot -renew --expand -d existing.com,example.com,newdomain.com

certbot -renew --expand -d existing.com -d example.com -d newdomain.com

If you run either of these commands, you get:

certbot: error: unrecognized arguments: -renew

certbot --expand -d existing.com,example.com,newdomain.com

certbot --expand -d existing.com -d example.com -d newdomain.com

These commands are equivalent though.

pconrad-fb pushed a commit to pconrad-fb/certbot that referenced this issue Jun 2, 2017
SwartzCr added a commit that referenced this issue Jul 19, 2017
Incorpoprating feedback from #4370

Finally going after those last few comments before the restructuring of the plugin stuff (coming soon)

Fixing --expand example in using.rst and adding to Apache/NGINX bullet in challenges.rst
SwartzCr added a commit that referenced this issue Jul 20, 2017
- adding what.rst to index.rst

- Bigger link to instruction generator in intro.rst, some edits to what.rst in response to comments on What is a Certificate? section first draft #4370

- Responding to St_Ranger's comment on 4370

- Edits to using.rst related to --expand

- Initial edit pass through challenges.rst

- Edits to what.rst and challenges.rst to resolve #3664 and #4153

- Incorpoprating feedback from #4370

- Finally going after those last few comments before the restructuring of the plugin stuff (coming soon)

- Fixing --expand example in using.rst and adding to Apache/NGINX bullet in challenges.rst
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.