Transitioning to Let's Encrypt wildcard certificates

A month ago I issued a wildcard certificate for *.paranoidpenguin.net and patiently awaited the expiration of my old HPKP policy. Eventually the time to install the new key and certificate arrived, but to my great dismay, things did not turn out according to plan. Upon restarting the Apache web server, I got served with the following (epic) failure:

AH01909: www.blog.paranoidpenguin.net:443:0 server certificate does NOT include an ID which matches the server name

What I had failed to take into account was that the fact that a wildcard certificate for *.paranoidpenguin.net would not cover additional levels of subdomains. In short, www.paranoidpenguin.net and blog.paranoidpenguin.net will both match *.paranoidpenguin.net, but www.blog.paranoidpenguin.net on the other hand, well not so much.

I would really like to get rid of the moronic www.blog multi-level subdomain so if you happen to be one of my RSS subscribers and are reading this, then please consider pointing your reader to blog.paranoidpenguin.net instead.

Anyhow, I decided I needed to issue a new wildcard certificate covering two levels of subdomains. In my case, that would mean *.paranoidpenguin.net and *.blog.paranoidpenguin.net.

Thankfully the awesome acme.sh script allowed me to achieve this (without reconfiguration) using the following oneliner:

acme.sh --issue -d paranoidpenguin.net -d '*.paranoidpenguin.net' -d '*.blog.paranoidpenguin.net' --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

After adding the needed DNS records to complete the challenge, it was simply a matter of issuing the following command to retrieve my new certificate:

acme.sh --renew -d paranoidpenguin.net --force –yes-I-know-dns-manual-mode-enough-go-ahead-please

After this little detour, I could finally install my brand new multi-level subdomain wildcard certificate.