LetsEncrypt Problem / Advice

Hi All,

I have installed lighty / certbot and ran it on mydomain.com but afterwards realised I would like to have www.mydomain.com also.

[https://www.mydomain.com auto redirects to https://mydomain.com]

I have read that the --expand option let’s you add domains to an existing cert but I can’t seem to locate ‘certbot-auto’ or ‘letsencrypt-auto’

If I re-run dietpi-letsencrypt will it just create a new cert in addition to the existing one?

Also, would two certs be update by the cron job?


Use certbot --expand instead.

certbot-auto is only valid, if you installed the certbot binaries from source, while DietPi-Software installs it from APT repo.

dietpi-letsencrypt will only renew existing certs, if you rerun it.

Thanks for quick response - will give that a shot now!

Lastly will auto updates still work out ok?

Jep, certbot will safe the settings and auto certificate renewal will then apply to the new domain list.

OK Thanks!

I ran

certbot --expand certonly --standalone -d mydomain.com -d www.mydomain.com --dry-run

everything seemed ok [had to halt lighty to do this] I then removed dry run and it looked like process completed with no errors. I can see additional fingerprint in keystores below the original and then I rebooted pi

However… https://www.mydomain.com gets auto directed to https://mydomain.com in Chrome and in IE I get a cert error. When reading the cert in IE it shows only mydomain.com referenced in the cert? When I try https://mydomain.com in IE it works fine.

Edit: Just noticed combined.pem doesnt look right - timestamp is from earlier on… then read the README - fullchain.pem does contain two cert fingerprints

Edit2: think I am barking up the wrong tree here;

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mydomain.com
Domains: mydomain.com www.mydomain.com
Expiry Date: 2019-03-11 21:19:30+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mydomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain.com/privkey.pem

So new cert does include www version - is there some ‘caching’ at Let’s Enctrypt?

Edit3: now think this is more to do with lighty - with http://www.mydomain.com or http://mydomain.com either will work.

$HTTP[“host”] =~ “(^|.)mydomain.com$” {
server.document-root = “/var/www”

Feeling the above is interpreted differently when using https ?

I now suspect it’s more down to my lack of understanding of how https / ssl / certs work together…

Also, reading through most of the posts on serverfault it seems way more people want to redirect the www version to the non-www version so I am assuming there is a desirable / technical reason for that I am failing to understand?

Maybe I should just be happy with the way things work now as it’s not a big difference anyway - and I have seen both version being used in many different places.

I am leaving some links here for further reading / reference;