[GH-ISSUE #921] Adding new subdomains to existing certificate #779

New issue

Open

opened 2026-02-26 06:34:23 +03:00 by kerem · 9 comments

kerem commented 2026-02-26 06:34:23 +03:00

Owner

Copy link

Originally created by @crovaxon on GitHub (Mar 1, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/921

Are you in the right place?
I hope I am, as I am considering this a feature request I could not find by searching in the existing issues.

Is your feature request related to a problem? Please describe.
Currently there is no way to add subdomains to an existing certificate using the UI, unless I am mistaken. I would have to remove my existing certificate and reissue it with all previous subdomains including the new one. I haven't done that yet because I did not want to risk breaking my existing proxy settings and potentially have to edit each and set the certificate again after having it recreated.

Describe the solution you'd like
Ability to add one or more new subdomains to an existing certificate via the comfortable UI this project offers. Certbot itself is able to do so via expanding onto the existing certificate. This will renew it and also add the new domains. See https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Describe alternatives you've considered
Dropping to terminal in my docker instance and manually interacting with certbot to do the expansion like I was doing it prior to switching to NGM as my reverse proxy. I do not plan to add subdomains very often but when I do, it would be nice to not have to it manually. Also I am not sure if NGM will actually pick up on the manual change, which is why I have not tried to do that yet.

Additional context
No extra context

Originally created by @crovaxon on GitHub (Mar 1, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/921 **Are you in the right place?** I hope I am, as I am considering this a feature request I could not find by searching in the existing issues. **Is your feature request related to a problem? Please describe.** Currently there is no way to add subdomains to an existing certificate using the UI, unless I am mistaken. I would have to remove my existing certificate and reissue it with all previous subdomains including the new one. I haven't done that yet because I did not want to risk breaking my existing proxy settings and potentially have to edit each and set the certificate again after having it recreated. **Describe the solution you'd like** Ability to add one or more new subdomains to an existing certificate via the comfortable UI this project offers. Certbot itself is able to do so via expanding onto the existing certificate. This will renew it and also add the new domains. See [https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates](https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates) **Describe alternatives you've considered** Dropping to terminal in my docker instance and manually interacting with certbot to do the expansion like I was doing it prior to switching to NGM as my reverse proxy. I do not plan to add subdomains very often but when I do, it would be nice to not have to it manually. Also I am not sure if NGM will actually pick up on the manual change, which is why I have not tried to do that yet. **Additional context** No extra context

kerem added the

enhancement

label 2026-02-26 06:34:23 +03:00

kerem commented 2026-02-26 06:34:23 +03:00

Author

Owner

Copy link

@steffenrh commented on GitHub (Apr 25, 2021):

Sorry, I couldn't find another way to upvote this enhancement proposal. But I painfully miss this feature, too. I've already made a cert expansion once, but it is pretty laborious:

1. Write down all the domain names in your existing cert.
2. Create a new cert request
3. Copy and insert all existing and new domain names one by one into the dialog (the dialog requires input validation for each domain separately).
4. Let certbot create a totally new certificate (which is not the recommended way due to the existing --expand option)
5. After creation, open each configured Proxy host or Redirect and edit its settings. Replace the old cert with the new cert and save.
6. If you have post hook processes (e.g. replicating the cert for your mail container), then you have to adjust your scripts, as the new certficate has been stored in a different npm- folder. If I'm not wrong...

Having an "Add subdomain" / "Edit subdomains" button would be a vast improvement for the whole process.

<!-- gh-comment-id:826312972 --> @steffenrh commented on GitHub (Apr 25, 2021): Sorry, I couldn't find another way to upvote this enhancement proposal. But I painfully miss this feature, too. I've already made a cert expansion once, but it is pretty laborious: 1. Write down all the domain names in your existing cert. 2. Create a new cert request 3. Copy and insert all existing and new domain names one by one into the dialog (the dialog requires input validation for each domain separately). 4. Let certbot create a **totally new** certificate (which is not the recommended way due to the existing --expand option) 5. After creation, open each configured Proxy host or Redirect and edit its settings. Replace the old cert with the new cert and save. 6. If you have post hook processes (e.g. replicating the cert for your mail container), then you have to adjust your scripts, as the new certficate has been stored in a different npm-<number> folder. If I'm not wrong... Having an "Add subdomain" / "Edit subdomains" button would be a vast improvement for the whole process.

kerem commented 2026-02-26 06:34:23 +03:00

Author

Owner

Copy link

@GAS85 commented on GitHub (Feb 20, 2023):

I use LetsEncrypt for a longer time and there is even no need to expand Certificate. You can simply add new domains to existing one with command via Changing a Certificate’s Domains:

certbot certonly --cert-name example.com --domains example.com,example2.com,example3.com

Or remove from the Certification via:

certbot certonly --cert-name example.com --domains example.com

So, basically there is ZERO changes in code, because you are using this feature already with domain separation via ,. What is missing is only Edit button.

UPDATE:
Workaround how to add/remove domain manually.

1. You need to find out cert name, here it is used with npm- prefix. E.g. if your container name is npm:

docker exec npm ls -la /etc/letsencrypt/live/ | grep npm-
drwxrwxr-x+ 2 root root 4096 Dec 23 10:37 npm-2

2. Temporary disable "Force SSL" for needed Proxy via Proxy-->Edit-->SSL
3. Now you can add additional domains/sudomains to this certificate, you shall provide webroot-path and authenticator type and cert-name from above, e.g. npm-2. You have to provide all domains

docker exec -it npm certbot certonly --cert-name npm-2 --domains  example.com,example2.com --authenticator webroot --webroot-path /data/letsencrypt-acme-challenge

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An ECDSA certificate named npm-2 already exists. Do you want to update its key
type to RSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: K

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate npm-2 to include new domain(s):
+ example2.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for example.com and example2.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/npm-2/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/npm-2/privkey.pem
This certificate expires on 2023-05-21.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3. Enable "Force SSL" back.

<!-- gh-comment-id:1436599629 --> @GAS85 commented on GitHub (Feb 20, 2023): I use LetsEncrypt for a longer time and there is even **no need** to `expand` Certificate. You can simply add new domains to existing one with command via [Changing a Certificate’s Domains](https://eff-certbot.readthedocs.io/en/stable/using.html#changing-a-certificate-s-domains): ```bash certbot certonly --cert-name example.com --domains example.com,example2.com,example3.com ``` Or remove from the Certification via: ```bash certbot certonly --cert-name example.com --domains example.com ``` So, basically there is ZERO changes in code, because you are using this [feature already with domain separation via `,`](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/fd30cfe98bba365e9630a791bdc86f01c08c6fa1/backend/internal/certificate.js#L845). What is missing is only **Edit** button. **UPDATE**: Workaround how to add/remove domain manually. 1. You need to find out cert name, here it is used with [`npm-` prefix](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/fd30cfe98bba365e9630a791bdc86f01c08c6fa1/backend/internal/certificate.js#L840). E.g. if your container name is `npm`: ```bash docker exec npm ls -la /etc/letsencrypt/live/ | grep npm- drwxrwxr-x+ 2 root root 4096 Dec 23 10:37 npm-2 ``` 2. Temporary disable "Force SSL" for needed Proxy via Proxy-->Edit-->SSL 3. Now you can add additional domains/sudomains to this certificate, you shall provide [webroot-path](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/1f3ac7a9ec80ec49a1c13ebcc46ab3f48ae026f4/docker/rootfs/etc/letsencrypt.ini#L3) and [authenticator type](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/fd30cfe98bba365e9630a791bdc86f01c08c6fa1/backend/internal/certificate.js#L842) and cert-name from above, e.g. `npm-2`. **You have to provide all domains** ```bash docker exec -it npm certbot certonly --cert-name npm-2 --domains example.com,example2.com --authenticator webroot --webroot-path /data/letsencrypt-acme-challenge ``` Output: ```bash Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - An ECDSA certificate named npm-2 already exists. Do you want to update its key type to RSA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (U)pdate key type/(K)eep existing key type: K - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You are updating certificate npm-2 to include new domain(s): + example2.com You are also removing previously included domain(s): (None) Did you intend to make this change? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (U)pdate certificate/(C)ancel: U Renewing an existing certificate for example.com and example2.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/npm-2/fullchain.pem Key is saved at: /etc/letsencrypt/live/npm-2/privkey.pem This certificate expires on 2023-05-21. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` 3. Enable "Force SSL" back.

kerem commented 2026-02-26 06:34:23 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 17, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2002267598 --> @github-actions[bot] commented on GitHub (Mar 17, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:34:23 +03:00

Author

Owner

Copy link

@GAS85 commented on GitHub (Mar 17, 2024):

👍

<!-- gh-comment-id:2002359310 --> @GAS85 commented on GitHub (Mar 17, 2024): 👍

kerem commented 2026-02-26 06:34:23 +03:00

Author

Owner

Copy link

@crovaxon commented on GitHub (Mar 21, 2024):

👍

<!-- gh-comment-id:2012191562 --> @crovaxon commented on GitHub (Mar 21, 2024): 👍

kerem commented 2026-02-26 06:34:24 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Dec 14, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2542663638 --> @github-actions[bot] commented on GitHub (Dec 14, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:34:24 +03:00

Author

Owner

Copy link

@GAS85 commented on GitHub (Dec 14, 2024):

👍

<!-- gh-comment-id:2543000220 --> @GAS85 commented on GitHub (Dec 14, 2024): 👍

kerem commented 2026-02-26 06:34:24 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 10, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3509151450 --> @github-actions[bot] commented on GitHub (Nov 10, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:34:24 +03:00

Author

Owner

Copy link

@GAS85 commented on GitHub (Nov 10, 2025):

👍

<!-- gh-comment-id:3510636511 --> @GAS85 commented on GitHub (Nov 10, 2025): 👍

kerem referenced this issue 2026-02-26 07:31:20 +03:00

[GH-ISSUE #2085] NPM tries to handle requests interally for /.well-known/acme-challenge/* and responds with 404 #1501

kerem referenced this issue 2026-02-26 07:31:20 +03:00

[GH-ISSUE #2085] NPM tries to handle requests interally for /.well-known/acme-challenge/* and responds with 404 #1501

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#779

No description provided.