1. Introduction

Securing websites with HTTPS encryption has become essential in today’s digital landscape. LetsEncrypt, a free, automated, and open Certificate Authority, plays a pivotal role in facilitating this. It offers SSL/TLS certificates to enable HTTPS on websites, ensuring secure communication between servers and clients. Certbot, a user-friendly command-line tool, simplifies the process of obtaining and managing these certificates.

In this tutorial, we’ll delve into the process of adding subdomains to LetsEncrypt using Certbot. We’ll explore two common scenarios: issuing a certificate for multiple domains and expanding an already-issued certificate with additional domains.

2. Understanding LetsEncrypt and Certbot

LetsEncrypt revolutionized the SSL/TLS certificate issuance process by providing free, automated, and domain-validated certificates. Generally, It aims to create a more secure and privacy-respecting Web. Certbot, developed by the Electronic Frontier Foundation (EFF), acts as an interface to LetsEncrypt, streamlining the certificate management process.

3. Installing and Using Certbot

Installing Certbot on most Linux distributions is straightforward. On Debian and Ubuntu, we can install it using apt-get:

$ sudo apt-get install certbot

For RedHat, Fedora, and RHEL derivatives, the EPEL repository needs to be enabled first, and then Certbot can be installed using yum:

$ sudo yum install epel-release
$ sudo yum install certbot

Once installed, Certbot can be invoked from the command line to obtain and install certificates. For instance, we can request a certificate for a specific domain:

$ sudo certbot certonly --manual --preferred-challenges=dns -d example.com

This command utilizes the DNS-01 challenge mechanism interactively to validate domain ownership and issue the certificate.

The DNS-01 challenge requires us to demonstrate control over our domain’s DNS by inserting a specific value into a TXT record within the domain. While more complex to set up compared to the HTTP-01 challenge, DNS-01 is applicable in situations where the HTTP-01 challenge isn’t suitable and also offers the capability to issue wildcard certificates.

In our example, we’re using the manual approach for simplification. As automation of issuance and renewals holds significant importance, it becomes logical to opt for DNS-01 challenges only if our DNS provider offers an API facilitating automated updates.

4. Issuing a Certificate for a Domain with Multiple Subdomains

In scenarios where we need to secure multiple domains or subdomains with a single certificate, Certbot simplifies the process. For example, we can specify all the domains we want to include in the certificate request:

$ sudo certbot certonly --manual --preferred-challenges=dns -d example.com -d www.example.com -d blog.example.com

This command generates a single certificate covering all specified domains. The certificate can be installed on multiple servers if our subdomains are hosted elsewhere. The maximum number of subject alternative names allowed per certificate is 100 as of the time of writing of this article.

5. Expanding an Already-Issued Certificate

Sometimes, we may need to add more domains to an already-issued certificate. Certbot’s –expand option comes in handy for this purpose. After issuing the domains’ certificate, we can expand it to include additional subdomains:

$ sudo certbot certonly --expand --manual --preferred-challenges=dns -d example.com -d www.example.com -d blog.example.com -d store.example.com

This command issues a new certificate that replaces the existing one, now including the newly added domain along with the previously covered domains.

6. Issuing a Certificate for a Wildcard Domain

Another scenario we may encounter is when we need to secure multiple subdomains with a single certificate without prior knowledge of the subdomain names. In this case, we can opt for a wildcard certificate. Wildcard certificates require using the DNS-01 challenge:

$ sudo certbot certonly --manual --preferred-challenges=dns -d example.com -d *.example.com

This command generates a certificate covering the base domain, example.com, in addition to any number of direct subdomains, such as blog.example.com, web.example.com, etc.

7. Conclusion

In conclusion, LetsEncrypt and Certbot offer a seamless solution for securing websites with HTTPS encryption. By following the steps outlined in this article, we can easily add subdomains to our existing LetsEncrypt certificates using Certbot.

Whether we’re issuing certificates for multiple domains or expanding an already issued certificate, Certbot simplifies the process, ensuring our website remains secure and accessible to users.

Inline Feedbacks
View all comments
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.