Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--expand not properly documented. #3664

Closed
SamMousa opened this issue Oct 20, 2016 · 14 comments
Closed

--expand not properly documented. #3664

SamMousa opened this issue Oct 20, 2016 · 14 comments
Labels
area: documentation area: renewal area: ui / ux
Milestone
0.14.0

Comments

@SamMousa
Copy link

From the docs:

  --expand              If an existing cert covers some subset of the
                        requested names, always expand and replace it with the
                        additional names. (default: False)

Existing certificate has: example.com and www.example.com.
Works:
letsencrypt-auto --expand --force-renewal certonly -d example.com -d test.example.com -d www.example.com

Doesn't work:
letsencrypt-auto --expand certonly -d example.com -d test.example.com

Note that there are 2 differences between these commands:

  1. --force-renewal, I replicated what I used to get it to work; but this is a prod server so I'm hesitant to retry and risk getting rate limited.
  2. We are not listing all existing domains on the existing certificate.

The issue is that 2 should not be a problem according to docs. Even more so, expanding should always expand if any certificate exists. "If an existing certificate covers some subset of the requested names...", the empty subset is always covered and requested. Also what if an existing certificate covers a superset of the requested names ("covers" to me suggests that would be fine)? It should then expand and add the newly requested domains.

In conclusion:

  1. Does --expand work without --force-renewal?
  2. Can I match an existing certificate by just specifying a subset of covered domains?
@bmw
Copy link
Member

bmw commented Oct 20, 2016

Yes you can use --expand without --force-renewal. The problem is that you're not listing all domains in the existing certificate. Perhaps we should change the documentation for this flag to say "If an existing cert is a subset of the requested names...".

Also what if an existing certificate covers a superset of the requested names ("covers" to me suggests that would be fine)? It should then expand and add the newly requested domains.

In this case, Certbot would create a new directory in /etc/letsencrypt/live for the certificate. I believe this problem is also resolved if we change "covers" to "is a".

Honestly, the --expand flag is a bit clunky and supporting use cases like this should be a lot easier in our next release. See #3615 for what we're planning to do.

@St-Ranger St-Ranger mentioned this issue Mar 24, 2017
Closed
@SwartzCr
Copy link
Contributor

tagging @pconrad-fb who might want to add documentation for this in his lineage docuementation

@SwartzCr
Copy link
Contributor

actually, since #3615 has landed, where does the state of this issue stand, @bmw is it closable?

@bmw
Copy link
Member

bmw commented Apr 12, 2017

No this isn't closable, however, it's just about changing the help for --expand in Certbot.

@SwartzCr
Copy link
Contributor

got it - opened a PR

@SwartzCr
Copy link
Contributor

it's #4495

@bmw
Copy link
Member

bmw commented Apr 13, 2017

Fixed in #4495.

@bmw bmw closed this as completed Apr 13, 2017
@pconrad-fb
Copy link

pconrad-fb commented Apr 13, 2017
edited
Loading

Looking at the doc, I see the following for --expand:

--expand tells Certbot to update an existing certificate with a new
certificate that contains all of the old domains and one or more additional
new domains.

Should I add the following: "With the --expand option, use the -d option to specify the new domain, and also state each existing domain with the -d option."

?

@SwartzCr
Copy link
Contributor

@bmw thoughts?

@bmw bmw added this to the 0.14.0 milestone Apr 17, 2017
@bmw
Copy link
Member

bmw commented Apr 17, 2017

Yep. SGTM!

@SwartzCr
Copy link
Contributor

@pconrad-fb if you want to make a PR with that change I'd be happy to review and merge it :D

@pconrad-fb
Copy link

I'm looking at the docs, and it seems like you can use -d with a comma-delimited list of domains. Is this true? I'd like to put an example in the docs, because I think the behavior is confusing. Which of the following, if any, is correct?

certbot -renew --expand -d existing.com,example.com,newdomain.com

certbot -renew --expand -d existing.com -d example.com -d newdomain.com

certbot --expand -d existing.com,example.com,newdomain.com

certbot --expand -d existing.com -d example.com -d newdomain.com

@pconrad-fb
Copy link

Sorry, forgot to @mention for visibility: @schoen @SwartzCr see above comment for a syntax question.

This was referenced May 12, 2017
Closed
Closed
@bmw
Copy link
Member

bmw commented May 16, 2017

certbot -renew --expand -d existing.com,example.com,newdomain.com

certbot -renew --expand -d existing.com -d example.com -d newdomain.com

If you run either of these commands, you get:

certbot: error: unrecognized arguments: -renew

certbot --expand -d existing.com,example.com,newdomain.com

certbot --expand -d existing.com -d example.com -d newdomain.com

These commands are equivalent though.

pconrad-fb pushed a commit to pconrad-fb/certbot that referenced this issue Jun 2, 2017
Edits to what.rst and challenges.rst to resolve certbot#3664 and cert…
8437408 
…bot#4153
SwartzCr pushed a commit that referenced this issue Jul 19, 2017
@SwartzCr
Edits to what.rst and challenges.rst to resolve #3664 and #4153
f617197 
Incorpoprating feedback from #4370

Finally going after those last few comments before the restructuring of the plugin stuff (coming soon)

Fixing --expand example in using.rst and adding to Apache/NGINX bullet in challenges.rst
SwartzCr pushed a commit that referenced this issue Jul 20, 2017
@SwartzCr
Adding 'What Is a Certificate' section
df8b374 
- adding what.rst to index.rst

- Bigger link to instruction generator in intro.rst, some edits to what.rst in response to comments on What is a Certificate? section first draft #4370

- Responding to St_Ranger's comment on 4370

- Edits to using.rst related to --expand

- Initial edit pass through challenges.rst

- Edits to what.rst and challenges.rst to resolve #3664 and #4153

- Incorpoprating feedback from #4370

- Finally going after those last few comments before the restructuring of the plugin stuff (coming soon)

- Fixing --expand example in using.rst and adding to Apache/NGINX bullet in challenges.rst
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: documentation area: renewal area: ui / ux
Projects
None yet
Milestone
0.14.0
Development

No branches or pull requests
4 participants
@pconrad-fb @SamMousa @SwartzCr @bmw