Skip to content

Renew a certificate for multiple domains

Jump to bottom
Oleksandr Porunov edited this page Apr 19, 2017 · 8 revisions

This scenario describes step-by-step how to renew the certificate for the following domains:
example.com, www.example.com, admin.example.com and www.admin.example.com.

Requirements:

  • PJAC

As in scenario 1 PJAC is executed on the same machine as the webserver serving the domains runs on. Again, we use HTTP01 authentication in this scenario. The webserver is configured to serve content over HTTP (port 80) for all above mentioned domains from a single document root /var/www/.

The files and subdirectories in /etc/pjac/ that were generated/made in scenario 1 are still there. The certificates were generated ten weeks ago, so the authorizations for the domains will be expired.

Because we use the renew command here we can schedule this to run every week (or even every day), the renew command will only generate a new certificate when the current certificate will expire within 30 days (by default). Generating new autorizations every week (or every day) is no problem as there are very high limits for authorizations creation (up to 20 authorizations per second on Let's Encrypt) but make sure that you verify all new authorizations as the limit of pending authorizations isn't high (up to 300 pending authorizations on Let's Encrypt)

  1. Request new challenges and download them:

    java -jar acme_client.jar --command authorize-domains -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ -d example.com -d www.example.com -d admin.example.com
  -d www.admin.example.com --well-known-dir /var/www/.well-known/acme-challenge/
  --one-dir-for-well-known --with-agreement-update

    For each domain name a new challenge file is downloaded and saved to the directory /var/www/.well-known/acme-challenge. :information_source: New authorizations won't be created in case when you already have verified authorizations for specific domains (verified authorizations will be returned).

  2. Verify the challenges:

    java -jar acme_client.jar --command verify-domains -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ -d example.com -d www.example.com -d admin.example.com
  -d www.admin.example.com

    The domains are now authorized again.

  3. Generate new certificate and download it:

    java -jar acme_client.jar --command renew-certificate -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ --cert-dir /etc/pjac/certdir/
  --csr /etc/pjac/example.com.csr

  4. Done. The following files in the directory /etc/pjac/certdir/ should be renewed:
    cert.pem,
    chain.pem and
    fullchain.pem

Home

Getting started

Usage

Command reference

Option reference

Example scenarios

Troubleshooting

Clone this wiki locally