2 Let's Encrypt certificates found


#1

Is it normal for my/etc/letsencrypt/live/ directory to have two certificates? One dir and certificate for "example".com and another for "example".com-0001?

PS: I am only running one website.


#2

Have you run things more than once, with slightly different requests ? ( I’d guess one without the www and one with the www on your domain name )


#3

Hello @tiferrei,

It’s normal if you have removed one or more domains that were available in your first cert when generated the last cert, or if you added some domain and didn’t use --renew-by-default or --expand switches… or if you used --duplicate switch.

Do you remember the exact commands that you used to create both certificates?.

Also, if you want to know the domains included in certs you can use these commands (change domain.tld by your actual domain) and check the output after X509v3 Subject Alternative Name: and you will see your domains in this format DNS:domain.tld, DNS:www.domain.tld, DNS:foo.domain.tld

Check domain.tld dir
openssl x509 -in /etc/letsencrypt/live/domain.tld/cert.pem -noout -text

Check domain.tld-0001 dir
openssl x509 -in /etc/letsencrypt/live/domain.tld-0001/cert.pem -noout -text

Below commands do the same but will list your domains directly:

Check domain.tld dir listing domains
openssl x509 -in /etc/letsencrypt/live/domain.tld/cert.pem -noout -text | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:" | tr "," "\n"

Check domain.tld-0001 dir listing domains
openssl x509 -in /etc/letsencrypt/live/domain.tld-0001/cert.pem -noout -text | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:" | tr "," "\n"

Cheers,
sahsanu


#4

I quite possibly ran the command more than once, as it wasn’t working the first time I tried, this will probably help:
https://community.letsencrypt.org/t/lets-encrypt-auto-setup-not-showing-domain/?source_topic_id=8223

PS: The CN is the same but the example.com has the DNS for both the www and the one without the www, while the 0001 one only has the DNS for the non www.


#5

So that is the answer, you created a second cert removing www domain so Let’s Encrypt created a new cert. There is no problem at all, you can ignore -0001 cert, when you renew the cert, remember to add the same domains as your first cert (with and without www) and Let’s Encrypt will renew the right cert.

Cheers,
sahsanu


#6

Ah ok, thanks a lot!

But for example if I have a virtual host using the 0001 one then does chasing it to the example.com dir still works?


#7

Probably the other way around :wink: I think the 0001-cert (just the example.com SAN version) is a “backup” of the first certificate and the non-0001 cert is the 2nd certificate, i.e., when @tiferrei found out he could add multiple domains to a single certificate.

@tiferrei If the non-0001 certificate has both the www.example.com ánd example.com domain in the subjectAltName extension, then it will work fine. The CN field of a certificate is deprecated anyway. Clients only look at the subjectAltName field nowadays.


#8

Hum and if I pass using just one then I can remove the other dir right?


#9

If there’s no reference to that directory in your configuration files, sure. But you should also remember: the /live/ directory contains symbolic links to the actual files in the /archive/ directory. Just removing the symbolic links will leave residual files in the /archive/ directory, so perhaps you should look in that directory too.

Also, what’s the harm in just leaving the directory?


#10

Yes, actually good point, it won’t be used but it doesn’t bite :slight_smile:


#11

Hi @Osiris,

-000x dirs are created not as a backup but as a new cert directory because a new cert with same cn domain (but some domain removed) is already in use. those dirs are also created when you use --duplicate switch or when you add a domain that was not included in the first certificate and don’t use --renew-by-default or --expand switches.

I tested it yesterday 7 times (in staging) because of this post :wink:

Cheers,
sahsanu


#12

Just a question, when I need to renew my certificate, which options the command should I use, so that it won’t generate a 0001 again?


#13

You should use exactly the same command that you used to create the first certificate, just add --renew-by-default switch to that command.


#14

Alright, thanks again!


#15

Granted, backup isn’t the right term :slightly_smiling:


#16

I believe the -0001 certificates were created by an earlier beta version of letsencrypt.

Delete both the example.com and the example.com-0001 files (from various places in /etc/letsencrypt) and then re-install the certificate.