Bugs / issues regarding automating updates of some 50+ certs that left out the mail subdomain

Hello All,

I asked this question recently, regarding how I'd not had the foresight to include mail.DOMAIN in the list of each of the great many certificates I need to support encryption on the domains I am managing.

Simply, I forgot to include mail. in front of each of the domains I got certs for. And, these certs already include BOTH other domains AND other subdomains, so "it's complicated," which is why I really need to solve this with a script - please see the aforementioned question for details.

So, as outlined there, I opted to script the solution rather than running things "by hand", since there are so many. I figured this would be a big win. But, it doesn't work - at least it doesn't APPEAR to work... (more on that below)

The reason is because when I run a command like this:

certbot --expand -d SomeDomain.com -d www.SomeDomain.com -d mail.SomeDomain.com

it fails with:

We were unable to find a vhost with a ServerName or Address of SomeDomain.com.
Which virtual host would you like to choose?

I tried a great many varieties of this, including the advice found under "Recreating and Updating Existing Certificates," and, literally - and I DO mean literally - all the related materials, including changing the command syntax considerably. I tried so many things, I cannot possibly cite them all.

Notably, it always errantly said, "No vhost exists with servername or alias of DOMAIN...", which is clearly false, and ALWAYS poses a question I cannot easily answer on which one it means, NOT ONLY because it always says "Multiple Names", so I can't do this easily "live", from a command line - remember, there are some 50+ entries! - and especially not in a script.

Heck, when this following certbot command works perfectly, it's a mystery why the aforementioned command is lost:

$ certbot certificates | grep DOMAIN

And this shows a perfect matching of the exact domain used FIRST in all the various commands tried, it's a complete mystery why these commands fail.

What's worse, having tried all this, and NOT having tracked exactly which command did it, I late in the effort, having believed the error messages meant I got nowhere, I later did:

$ certbot certificates | grep DOMAIN

and discovered that I now have TWO certificates for that domain (and I really don't know how to delete the one and not the other without screwing things up) and have confirmed that "they work." That is, Dovecot accepts them and I now have email clients connecting on this ONE domain I did "by hand."

Trouble is, I don't know which of these commands actually worked. They ALL gave errors and I NEVER picked one, always choosing to "cancel." OBVIOUSLY the code is broken.

Aside from the fact I cannot tell you which commands actually created the two certicicates, it's obvious these are bugs.

So, I have several questions:

  1. I want to automate the update of the rest of these domains, but how can I do so given certbot claims it can't find the chosen domain even when it does?

  2. How can I delete ONE of the two certs without deleting both, especially since certbot seems so confused in the first place?

  3. How do I properly report bugs on certbot?

Thank you very much for your consideration. ... As wonderful as Lets Encrypt and certbot are, nothing's perfect, so I'd like to help us improve our effort, and bug reporting is a part of that..... Thanks for your help.

1 Like

Please show the screen for clarity.

You can delete any cert shown by:
certbot certificates
with:
cerbot delete --cert-name {give the name of the cert you want to delete}

1 Like

Sorry, I made a typo, already edited out - try a refresh!

2 Likes

Please show the output of just:
certbot certificates

1 Like

Thanks, rg305, but it's past midnight and I have to retire. I'll be back at it in some 8 or ten hours or so, I imagine... Regards!

2 Likes

For review upon your return:

image

1 Like