Adding new subdomains to existing certificate

[crovaxon]

Are you in the right place? I hope I am, as I am considering this a feature request I could not find by searching in the existing issues.

Is your feature request related to a problem? Please describe. Currently there is no way to add subdomains to an existing certificate using the UI, unless I am mistaken. I would have to remove my existing certificate and reissue it with all previous subdomains including the new one. I haven't done that yet because I did not want to risk breaking my existing proxy settings and potentially have to edit each and set the certificate again after having it recreated.

Describe the solution you'd like Ability to add one or more new subdomains to an existing certificate via the comfortable UI this project offers. Certbot itself is able to do so via expanding onto the existing certificate. This will renew it and also add the new domains. See https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Describe alternatives you've considered Dropping to terminal in my docker instance and manually interacting with certbot to do the expansion like I was doing it prior to switching to NGM as my reverse proxy. I do not plan to add subdomains very often but when I do, it would be nice to not have to it manually. Also I am not sure if NGM will actually pick up on the manual change, which is why I have not tried to do that yet.

Additional context No extra context

[steffenrh]

Sorry, I couldn't find another way to upvote this enhancement proposal. But I painfully miss this feature, too. I've already made a cert expansion once, but it is pretty laborious:

1. Write down all the domain names in your existing cert.
2. Create a new cert request
3. Copy and insert all existing and new domain names one by one into the dialog (the dialog requires input validation for each domain separately).
4. Let certbot create a totally new certificate (which is not the recommended way due to the existing --expand option)
5. After creation, open each configured Proxy host or Redirect and edit its settings. Replace the old cert with the new cert and save.
6. If you have post hook processes (e.g. replicating the cert for your mail container), then you have to adjust your scripts, as the new certficate has been stored in a different npm- folder. If I'm not wrong...

Having an "Add subdomain" / "Edit subdomains" button would be a vast improvement for the whole process.

[GAS85]

I use LetsEncrypt for a longer time and there is even no need to expand Certificate. You can simply add new domains to existing one with command via Changing a Certificate’s Domains:

certbot certonly --cert-name example.com --domains example.com,example2.com,example3.com

Or remove from the Certification via:

certbot certonly --cert-name example.com --domains example.com

So, basically there is ZERO changes in code, because you are using this feature already with domain separation via ,. What is missing is only Edit button.

UPDATE: Workaround how to add/remove domain manually.

1. You need to find out cert name, here it is used with npm- prefix. E.g. if your container name is npm:

   docker exec npm ls -la /etc/letsencrypt/live/ | grep npm-
   drwxrwxr-x+ 2 root root 4096 Dec 23 10:37 npm-2

2. Temporary disable "Force SSL" for needed Proxy via Proxy-->Edit-->SSL
3. Now you can add additional domains/sudomains to this certificate, you shall provide webroot-path and authenticator type and cert-name from above, e.g. npm-2. You have to provide all domains

   docker exec -it npm certbot certonly --cert-name npm-2 --domains  example.com,example2.com --authenticator webroot --webroot-path /data/letsencrypt-acme-challenge

   Output:

   
   Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

An ECDSA certificate named npm-2 already exists. Do you want to update its key type to RSA?

---

(U)pdate key type/(K)eep existing key type: K

---

You are updating certificate npm-2 to include new domain(s):

• example2.com

You are also removing previously included domain(s): (None)

Did you intend to make this change?

---

(U)pdate certificate/(C)ancel: U Renewing an existing certificate for example.com and example2.com

Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/npm-2/fullchain.pem Key is saved at: /etc/letsencrypt/live/npm-2/privkey.pem This certificate expires on 2023-05-21. These files will be updated when the certificate renews.

NEXT STEPS:

• The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

• ---

  If you like Certbot, please consider supporting our work by:

  • Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  • Donating to EFF: https://eff.org/donate-le

• ---

  
  3. Enable "Force SSL" back.

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1:

[GAS85]

👍

[crovaxon]

👍