Some random tests of certbot (0.22) behaviour, as part of an effort to script its usage.
Setup:
*.wildcard.example.org
DNS points at this server, so HTTP-01 auth works.CERTBOT_PARAMS=" --test-cert --email me@example.org --agree-tos --webroot --webroot-path /var/www/html --non-interactive"
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test2.wildcard.example.org
Fails. You have to use --expand
(or --cert-name
)
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test2.wildcard.example.org --expand
Works: Updates the certificate to include the new domain.
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test3.wildcard.example.org --expand
Creates a new test1.wildcard.example.org-0001 certificate.
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org --cert-name test1
Works great! Gets put in /etc/letsencrypt/live/test1/fullchain.pem
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org --cert-name test1
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test2.wildcard.example.org --cert-name test1
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test3.wildcard.example.org --cert-name test1
Works great! Only maintains a single certificate in /etc/letsencrypt/live/test1/fullchain.pem
.
certbot certonly $CERTBOT_PARAMS --domains test21.wildcard.example.org,test22.wildcard.example.org --cert-name test2
certbot certonly $CERTBOT_PARAMS --domains test24.wildcard.example.org,test25.wildcard.example.org --cert-name test2
Works great!
certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test3.other.example.com --cert-name test3 --allow-subset-of-names
As expected, cert only contains the one that worked.
Exit code: 0
certbot certonly $CERTBOT_PARAMS --domains test1.example.org,test3.other.example.com --cert-name test3 --allow-subset-of-names
Fails entirely. This makes sense.
Exit code: 1
certbot certonly --email ... --test-cert --agree-tos --manual -d one.example.org,two.example.org --preferred-challenge dns
- Prompts to create
_acme-challenge.one.example.org
with random key - Prompts to create
_acme-challenge.two.example.org
with (different) random key
Output:
certname{tab} domain1.com domain2.com etc..
certbot certificates | tr '\n' ' ' | grep -oP "[^ ]+ +Domains: *.*? " | sed 's/ *Domains: */\t /g;'