[SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"!

Hi, is it possible to add subdomains to Letsencrypt? I think the phrase is: how to renew certificate and expand with subdomains?

I’ve searched this forum and had a look at a bunch of tutorials, but because Freedombox seems to be a none standard set up I can’t figure it out.

Any help is greatly appreciated.

1 Like

Letsencrypt - Adding Subdomains on Freedombox
My setup: Raspberry Pi 3B/ Raspbian GNU/Linux 10 (buster) and FreedomBox version 20.5.

(NOTE: the following is all part or a greater effort to get a TURN server running with Riot/Matrix and NextCloud Talk. As I understand it I need two secured subdomains to set up STUN and TURN!)

SOLUTION SUMMARY

To add subdomain names to a existing Letsencrypt certificate on a Freedombox the following commands worked for me.

Install the Apache server certbot connector:

sudo apt install python3-certbot-apache

Then add the subdomain names to the existing domain’s Letsencrypt certificate:

`sudo certbot --apache --expand -d domainname.com  -d subone.domainname.com -d subtwo.domainname.com`

Example:

`sudo certbot --apache --expand -d mydomain.ddnsfree.com  -d turn.mydomain.ddnsfree.com -d stun.mydomain.ddnsfree.com` 

BACKGROUND AND EXTENDED STEPS

I basically pieced together the above commands that I needed from these two pages (I have given a full explanation of the steps I went through with Freedombox to get set this up below):

The steps I followed

NOTE: I have used my test domain and subdomain names below, obviously these need to be changed for your domain and subdomain names.

Domain Name and DDNS Setup

  • set up a DDNS client. In my case I used the DDNS function on my DD-WRT router. But the built in Freedombox DDNS client can be used just as well;

  • set up the home router port forwarding to the Freedombox machine on the local network.

Freedombox Configuration

  • log into Freedombox as an admin user;

  • set up the domain in System > Configure – see screenshot below

  • get Letsencrypt certificate for the domain name, System > Letsencrypt – see screenshot below

Add Subdomains to Letsencrypt Certificate

  • open a terminal on the Freedombox machine (SSH into the box!)

  • install the Letsencrypt plug-in to connect with Apache server

sudo apt install python3-certbot-apache

NOTE: initially got the error message: certbot: error: unrecognized arguments: --apache2 and discovered I had to when running the command below and then discovered that I had to install the python3-certbot-apache package, as above!`*

  • run the following Letsencrypt command to add the subdomains to the existing domain certificate:

    sudo certbot --apache --expand -d mydomain.ddnsfree.com -d turn.mydomain.ddnsfree.com -d stun.mydomain.ddnsfree.com

I then had to make a number of selections based on the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stun.mydomain.ddnsfree.com
http-01 challenge for turn.mydomain.ddnsfree.com
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/50-freedombox
Output from 50-freedombox:
Let's Encrypt calling deploy hook for FreedomBox: Domains: 'mydomain.ddnsfree.com turn.mydomain.ddnsfree.com stun.mydomain.ddnsfree.com' Lineage: '/etc/letsencrypt/live/mydomain.ddnsfree.com'

Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of turn.mydomain.ddnsfree.com.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: freedombox-tls-site-macro.conf |                       | HTTPS | Enabled
2: freedombox-tls-site-macro.conf |                       | HTTPS | Enabled
3: 000-default.conf               |                       |       | Enabled
4: default-ssl.conf               |                       | HTTPS | Enabled
5: 000-default-le-ssl.conf        | mydomain.ddnsfree | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-5] then [enter] (press 'c' to cancel): 5 

NOTE: I chose option 5 (as can be seen above)

Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of stun.mydomain.ddnsfree.com.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: freedombox-tls-site-macro.conf |                       | HTTPS | Enabled
2: freedombox-tls-site-macro.conf |                       | HTTPS | Enabled
3: 000-default.conf               |                       |       | Enabled
4: default-ssl.conf               |                       | HTTPS | Enabled
5: 000-default-le-ssl.conf        | Multiple Names        | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-5] then [enter] (press 'c' to cancel): 5

NOTE: I chose option 5 (as can be seen above)

Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

NOTE: I chose option 2 (as can be seen above)

Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
https://mydomain.ddnsfree.com, https://turn.mydomain.ddnsfree.com, and
https://stun.mydomain.ddnsfree.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.ddnsfree.com
https://www.ssllabs.com/ssltest/analyze.html?d=turn.mydomain.ddnsfree.com
https://www.ssllabs.com/ssltest/analyze.html?d=stun.mydomain.ddnsfree.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.ddnsfree.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.ddnsfree.com/privkey.pem
   Your cert will expire on 2020-07-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Done!

Test the Subdomain HTTPS Connections

Test as per the suggestions in the out put above.

I can now access my Freedombox with all three domain/subdomains via HTTPS without the browser complaining.

Joy!

Please let me know if I have done anything stupid here or if this could be achieved more efficiently or leave any other comment – thanks.

2 Likes