-0001 cert directories?

I'm trying to clean up my certificates for a handful of domains hosted on a single Nginx server. In /etc/letsencrypt/archive, some domain directories have gotten duplicated, with -0001 or -0002 appended to their names (with matching directories in live/). I tried deleting the directories altogether and re-running certbot certonly, but that just created another one (the one with -0002 on the end).

I realize now that there are also directories in renewal/. If I delete all of these, will that let certbot re-create them without the unique appendix?

Probably not.

The primary reason for such appended numbers is that the renewing cert doesn't cover the exact same set of names.
Might have one more name [or one less name], but for whatever reason it wants to keep the same cert name - which it can't, so it makes one with such added numbers.

If your renewal request uses a specific "--cert-name", that can be part of such a problem.
If your using "--expand", that can be part of such a problem.

Using certbot certificates should show all the names on each of the certs and that may make it easier to see why those additional certs were created; And for you to see which ones you still need and which ones you don't.


Also, it's best to use certbot delete to remove certificates.

If you're trying to clean up from a partial manual deletion, you'll want to delete all of the associated files and directories in /etc/letsencrypt/renewal, /etc/letsencrypt/live, and /etc/letsencrypt/archive, like /etc/letsencrypt/renewal/example.com-0001.conf, /etc/letsencrypt/live/example.com-0001, and /etc/letsencrypt/archive/example.com-0001. Hopefully there are no cross-references between certificates with different names (which could somehow happen with older versions of Certbot when things were incompletely manually deleted, but which I don't think can happen nowadays).

As @rg305 mentioned, the -0001 certs happen when you have partially overlapping certificates but don't explicitly request one or more names from the old certificate, and also don't specify replacing the old certificate with --cert-name. Without --cert-name, Certbot is never willing to replace a certificate with a newer version that contains even one name fewer, so it instead creates the -0001 certificate in order to allow the old certificate to continue to exist.


Thanks for the info. I'll try using delete to clean things up.

One thing I was hoping to be able to do was write my config files like this:

ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem;

This would make it a lot easier to copy & paste configs when I add new websites (or fix up older ones). I don't do a ton of these, but I have a dozen or so. I guess if I want to pursue that, I have to be much more diligent about how I invoke certbot.

1 Like

You can always specify the certificate name with --cert-name when creating a new certificate, instead of having Certbot choose one for you. In that case you will have total control over it and no surprises, which can potentially work well with your $host goal (although I think it's fair to describe this as being more diligent about how you invoke certbot).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.