I have an example.com domain that is protected with Let's Encrypt over SSL. And now I want to add to my domain more subdomains. For example, mail.example.com and search.example.com . How can I do it?

  • Issue a certificate for each. You can, of course, write one for everything, but usually there is no point in this. - etki

3 answers 3

Letsencrypt in the FAQ says that they do not yet have plans to issue wildcard certificates (ie, for * .example.com).

Will Let's Encrypt issue wildcard certificates?

But it is a possibility in a future. Hopefully, you shouldn’t be happy.

Therefore, you can either receive a certificate for each subdomain in the same way that a certificate was obtained for the main one, or you can create a certificate for several domain names at once.

For example, in the documentation for the webroot plugin webroot is an example:

 certbot certonly --webroot \ -w /var/www/example/ -d www.example.com -d example.com \ -w /var/www/other -d other.example.net -d another.other.example.net

This command can create one certificate for several domains at once. Here, /var/www/example/ is the webroot for www.example.com and example.com , and /var/www/other is for other.example.net and another.other.example.net

But LetsEncrypt has restrictions on using one certificate for several domain names. You can create one certificate for up to 100 domains.

Add subdomains to an existing certificate will not work. You must first delete the certificate (see the revoke and delete commands), and then create a new certificate for several domains at once.

  • Wildcard is not needed in this case, Let's Encrypt allow you to make one certificate per hundred subdomains at once - andreymal
  • @andreymal and give the link, please, where it is written about it - Andrey Mindubaev
  • According to your own link to the FAQ, exactly one question above: D True, there are not a hundred mentioned there, now I will look for where I saw - andreymal
  • one
    I found, about a hundred, in a row, letsencrypt.org/docs/rate-limits - Names per Certificate .
  • @andreymal thanks for the link, I found the rest of the documentation and updated the answer - Andrey Mindubayev

It is better to get a certificate using one of the recommended clients. My choice was GetSSL. This is a simple bash script that can update itself. When working using CLI openssl, and therefore there is no tight binding to the version.

GetSSL automates the process of obtaining and renewing a certificate using several commands. For example, to get a certificate for domain.tld:

 srv ~ # getssl -c domain.tld creating main config file /root/.getssl/getssl.cfg Making domain directory - /root/.getssl/domain.tld creating domain config file in /root/.getssl/domain.tld/getssl.cfg srv ~ # getssl domain.tld

The first command adds a domain to the list to receive (it is executed once), the second - to obtain a certificate.

In the case of subdomains (including www) in the configuration file, you just need to list them separated by commas:

 # Additional domains - this could be multiple domains / subdomains in a comma separated list # Note: this is Additional domains - so should not include the primary domain. SANS=www.example.com,mail.example.com,search.example.com,

In this article, you can learn more about the process of obtaining a certificate using GetSSL.

    Apache instructions

    Suppose that virtual hosts are in the following path:

     /home/ubuntu/.config/virtual-hosts.conf

    and represent the following:

     <VirtualHost *:80> ServerName example.com DocumentRoot /home/ubuntu/example.com <Directory /home/ubuntu/example.com> Require all granted AllowOverride all </Directory> </VirtualHost> <VirtualHost *:80> ServerName test.example.com DocumentRoot /home/ubuntu/test.example.com <Directory /home/ubuntu/test.example.com> Require all granted AllowOverride all </Directory> </VirtualHost>

    Add a certificate for example.com domain:

     sudo certbot --apache -d example.com

    What we get as a result?

    1. In /home/ubuntu/.config Certbot will create a virtual-hosts-le-ssl.conf with the following contents:

     <IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com DocumentRoot /home/ubuntu/example.com <Directory /home/ubuntu/example.com> Require all granted AllowOverride all </Directory> SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>

    2. In /etc/apache2/sites-enabled Certbot will create a link to the above file:

     /etc/apache2/sites-enabled ├── 000-default.conf -> ../sites-available/000-default.conf └── virtual-hosts-le-ssl.conf -> /home/ubuntu/.config/virtual-hosts-le-ssl.conf

    3. If we answered 2 to the question whether to redirect traffic from http to https , then the contents of the file /home/ubuntu/.config/virtual-hosts.conf will be as follows (a redirect will be added):

     <VirtualHost *:80> ServerName example.com DocumentRoot /home/ubuntu/example.com <Directory /home/ubuntu/example.com> Require all granted AllowOverride all </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <VirtualHost *:80> ServerName test.example.com DocumentRoot /home/ubuntu/test.example.com <Directory /home/ubuntu/test.example.com> Require all granted AllowOverride all </Directory> </VirtualHost>

    Add a certificate for the test.example.com subdomain:

     sudo certbot --apache -d test.example.com

    What do we do next?

    Or I just do not know what Certbot means by its actions (since I did not read the documentation), or it is a bug; in any case, if you leave everything by default, then nothing works (at least for me), since it (Certbot) does some kind of trash in the configuration files.

    1. Replace the contents of the file /home/ubuntu/.config/virtual-hosts-le-ssl.conf with this:

     <IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com DocumentRoot /home/ubuntu/example.com <Directory /home/ubuntu/example.com> Require all granted AllowOverride all </Directory> SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> <VirtualHost *:443> ServerName test.example.com DocumentRoot /home/ubuntu/test.example.com <Directory /home/ubuntu/test.example.com> Require all granted AllowOverride all </Directory> SSLCertificateFile /etc/letsencrypt/live/test.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/test.example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>

    2. Replace the contents of the file /home/ubuntu/.config/virtual-hosts.conf with this:

     <VirtualHost *:80> ServerName example.com DocumentRoot /home/ubuntu/example.com <Directory /home/ubuntu/example.com> Require all granted AllowOverride all </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <VirtualHost *:80> ServerName test.example.com DocumentRoot /home/ubuntu/test.example.com <Directory /home/ubuntu/test.example.com> Require all granted AllowOverride all </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =test.example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>

    All the above actions were done for my server at the time of writing the answer.