I am looking for an automated way to add a new domain.
I would like to add erzgebirgstraverse.de
From https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains :
... to expand the set of domains a certificate contains ...
certbot certonly --cert-name example.com -d example.org,www.example.org
I found a way to list all existing certs:
hz1:/etc/apache2# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: hz1.yz.to
Serial Number: 345a3c36ff032d325e78120c98d8ddc71f7
Domains: hz1.yz.to thomas-guettler.de
Expiry Date: 2021-03-23 09:19:00+00:00 (VALID: 80 days)
Certificate Path: /etc/letsencrypt/live/hz1.yz.to/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hz1.yz.to/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Now I see the existing domains, and could add erzgebirgstraverse.de with the -d flag:
hz1:/etc/apache2# certbot certonly --cert-name hz1.yz.to -d hz1.yz.to,thomas-guettler.de,erzgebirgstraverse.de
But now an interactive script starts:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
systemctl reload apache2
Is there a way to add a new domain (alternative name) but non-interactive?
By default, Certbot will try to assist you in the process of generating the certificates. In addition, it will prompt you for information to help installing them in your Apache/Nginx setup.
To skip this installation step, simply use certbot certonly ... subcommand. According to the CLI manpages: Obtain or renew a certificate, but do not install it
Alternatively, you can use the flag -n/--non-interactive to make sure certbot will process without prompting anything. In such case, you must ensure all needed information is passed through the command-line. In particular, you must ensure you already agreed to the Terms & Conditions, (--agree-tos) and you provided a valid contact email (-m email@domain). Example:
certbot certonly --agree-tos -m contact&mydomain.com --cert-name hz1.yz.to -d hz1.yz.to,thomas-guettler.de,erzgebirgstraverse.de
In your questions, you were prompted for authentication method. You must understand that let's encrypt must validate the server you are executing the client can correctly be associated with the domain(s) you are trying to generate your certs. Available methods are:
To pre-select one of the 3 available methods from the command line (and avoid interactive prompt), use option --apache (1), --standalone (2) or --webroot (3).
Keep in mind that HTTP challenge is not the only solution to validate your server/domains coherence. DNS and TLS based challenges can be very useful: https://letsencrypt.org/docs/challenge-types/ I'm not sure certbot implements such challenges natively, but you can find third-party plugins that will.
In addition, think that certbot is NOT the only let's encrypt client available to generate your certificates. There is plenty clients available: https://letsencrypt.org/docs/client-options/