Certbot after successful challenge is creating certificates in the past

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: warights.org

I ran this command: certbot --manual certonly --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d furtopia.org -d *.furtopia.org -d inlightof.us -d *.inlightof.us -d artstyle.us -d *.artstyle.us -d kcff.net -d *.kcff.net -d twotreesinc.org -d *.twotreesinc.org -d warights.org -d *.warights.org -d whiteshepherd.net -d *.whiteshepherd.net

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/furtopia.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/furtopia.org/privkey.pem
    Your cert will expire on 2021-04-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Debian aarch64 (Pi OS 64)

My hosting provider, if applicable, is: Personal server with static IPs

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Because I am using wildcards I have (to my knowledge) been required to run manual renewals with: certbot: certbot --manual certonly --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d furtopia.org -d *.furtopia.org -d inlightof.us -d *.inlightof.us -d artstyle.us -d *.artstyle.us -d kcff.net -d *.kcff.net -d twotreesinc.org -d *.twotreesinc.org -d warights.org -d *.warights.org -d whiteshepherd.net -d *.whiteshepherd.net

It has been working up till today when renewal succeed with a odd message:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/furtopia.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/furtopia.org/privkey.pem
    Your cert will expire on 2021-04-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

As you can see it created a cert set to expire in the past? The files in /etc/letsencrypt/live/furtopia.org/ are dated May 4th. The server time/date is correct. But it succeeded in making a cert set to expire in the past? Not sure what I'm missing?

1 Like

What's the output of certbot certificates?

1 Like

I'm assuming the system time is all correct?

1 Like

Inside the .pem files is the begin/end of the files with data in-between.

Server time is correct.

I find this usually happens as a result of the symbolic links in the live folder getting out of sync with the files in the archive folder. This is almost always due to manual actions of some kind.

What are the outputs of these commands?

sudo ls -lRa /etc/letsencrypt/archive
sudo ls -lRa /etc/letsencrypt/live

sudo ls -lRa /etc/letsencrypt/archive produces:

/etc/letsencrypt/archive:
total 20
drwx------+ 5 root root 4096 Jan 19 22:18 .
drwxr-xr-x+ 9 root root 4096 May 4 03:05 ..
drwxr-xr-x+ 2 root root 4096 May 4 00:19 furtopia.org
drwxr-xr-x+ 2 root root 4096 Oct 25 2020 furtopia.org-0001
drwxr-xr-x+ 2 root root 4096 Jan 19 22:18 furtopia.org-0002

/etc/letsencrypt/archive/furtopia.org:
total 40
drwxr-xr-x+ 2 root root 4096 May 4 00:19 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2212 Aug 8 2020 cert1.pem
-rw-r--r--+ 1 root root 2110 May 4 00:19 cert2.pem
-rw-r--r--+ 1 root root 1647 Aug 8 2020 chain1.pem
-rw-r--r--+ 1 root root 1586 May 4 00:19 chain2.pem
-rw-r--r--+ 1 root root 3859 Aug 8 2020 fullchain1.pem
-rw-r--r--+ 1 root root 3696 May 4 00:19 fullchain2.pem
-rw-------+ 1 root root 1704 Aug 8 2020 privkey1.pem
-rw-------+ 1 root root 1708 May 4 00:19 privkey2.pem

/etc/letsencrypt/archive/furtopia.org-0001:
total 40
drwxr-xr-x+ 2 root root 4096 Oct 25 2020 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2171 Oct 23 2020 cert1.pem
-rw-r--r--+ 1 root root 2228 Oct 25 2020 cert2.pem
-rw-r--r--+ 1 root root 1647 Oct 23 2020 chain1.pem
-rw-r--r--+ 1 root root 1647 Oct 25 2020 chain2.pem
-rw-r--r--+ 1 root root 3818 Oct 23 2020 fullchain1.pem
-rw-r--r--+ 1 root root 3875 Oct 25 2020 fullchain2.pem
-rw-------+ 1 root root 1704 Oct 23 2020 privkey1.pem
-rw-------+ 1 root root 1704 Oct 25 2020 privkey2.pem

/etc/letsencrypt/archive/furtopia.org-0002:
total 24
drwxr-xr-x+ 2 root root 4096 Jan 19 22:18 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2110 Jan 19 22:18 cert1.pem
-rw-r--r--+ 1 root root 1586 Jan 19 22:18 chain1.pem
-rw-r--r--+ 1 root root 3696 Jan 19 22:18 fullchain1.pem
-rw-------+ 1 root root 1704 Jan 19 22:18 privkey1.pem

sudo ls -lRa /etc/letsencrypt/live produces:

/etc/letsencrypt/live/furtopia.org:
total 12
drwxr-xr-x+ 2 root root 4096 May 4 12:25 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 41 May 4 01:12 cert.pem -> ../../archive/furtopia.org-0002/cert1.pem
lrwxrwxrwx 1 root root 42 May 4 01:13 chain.pem -> ../../archive/furtopia.org-0002/chain1.pem
lrwxrwxrwx 1 root root 46 May 4 01:14 fullchain.pem -> ../../archive/furtopia.org-0002/fullchain1.pem
lrwxrwxrwx 1 root root 44 May 4 01:15 privkey.pem -> ../../archive/furtopia.org-0002/privkey1.pem
-rw-r--r--+ 1 root root 692 Apr 11 12:37 README

/etc/letsencrypt/live/furtopia.org-0001:
total 12
drwxr-xr-x+ 2 root root 4096 Oct 30 2020 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 41 Oct 30 2020 cert.pem -> ../../archive/furtopia.org-0001/cert2.pem
lrwxrwxrwx 1 root root 42 Oct 30 2020 chain.pem -> ../../archive/furtopia.org-0001/chain2.pem
lrwxrwxrwx 1 root root 46 Oct 30 2020 fullchain.pem -> ../../archive/furtopia.org-0001/fullchain2.pem
lrwxrwxrwx 1 root root 44 Oct 30 2020 privkey.pem -> ../../archive/furtopia.org-0001/privkey2.pem
-rw-r--r--+ 1 root root 692 Oct 30 2020 README

/etc/letsencrypt/live/furtopia.org-0002:
total 12
drwxr-xr-x+ 2 root root 4096 Jan 19 22:18 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 41 Jan 19 22:18 cert.pem -> ../../archive/furtopia.org-0002/cert1.pem
lrwxrwxrwx 1 root root 42 Jan 19 22:18 chain.pem -> ../../archive/furtopia.org-0002/chain1.pem
lrwxrwxrwx 1 root root 46 Jan 19 22:18 fullchain.pem -> ../../archive/furtopia.org-0002/fullchain1.pem
lrwxrwxrwx 1 root root 44 Jan 19 22:18 privkey.pem -> ../../archive/furtopia.org-0002/privkey1.pem
-rw-r--r--+ 1 root root 692 Jan 19 22:18 README

/etc/letsencrypt/live/furtopia.org.old.1:
total 12
drwxr-xr-x+ 2 root root 4096 Aug 10 2020 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 36 Aug 8 2020 cert.pem -> ../../archive/furtopia.org/cert1.pem
lrwxrwxrwx 1 root root 37 Aug 8 2020 chain.pem -> ../../archive/furtopia.org/chain1.pem
lrwxrwxrwx 1 root root 41 Aug 8 2020 fullchain.pem -> ../../archive/furtopia.org/fullchain1.pem
lrwxrwxrwx 1 root root 39 Aug 8 2020 privkey.pem -> ../../archive/furtopia.org/privkey1.pem
-rw-r--r--+ 1 root root 692 Aug 8 2020 README

I see some May files in /etc/letsencrypt/archive/furtopia.org But does not look like they are linked?

1 Like

Yep, there are certainly some issues. We'll get things resolved though. :slightly_smiling_face:


The symbolic links in this directory:

/etc/letsencrypt/live/furtopia.org

are pointing to the files in this directory:

/etc/letsencrypt/archive/furtopia.org-0002

that contains this certificate acquired on January 19:

https://crt.sh/?id=3953771376

that expires on April 20.

Mystery solved. :face_with_monocle:


Now, let's clean house! :broom:

We want to fix the symbolic links in certbot so that we can cleanup properly:

sudo certbot update_symlinks

After that, to ensure that things are correct, what are the current outputs of these commands?

sudo ls -lRa /etc/letsencrypt/archive
sudo ls -lRa /etc/letsencrypt/live

We need to be sure of which certificate(s) are being used by Apache and make any corrections as needed.

To get started, what is the output of this command?

sudo apachectl -S

Once these are completed and we have the necessary outputs, we can then help you delete the unneeded certificates to prevent future problems. Please do not try to do this manually. It must be done with specific certbot commands. Manual deletion may break things further.

I'll leave the fixing to @griffin, I'm certain you'll figure this out. However, I would like to take this moment to notice something: let this be a warning not ever to manually modify the files and/or directories in /etc/letsencrypt/ if you're not absolutely sure you know what you're doing! as this is clearly the result of manually tampering.

2 Likes

I ran: sudo certbot update_symlinks

Results of "ls" command show links corrected:
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 36 Aug 8 2020 cert.pem -> ../../archive/furtopia.org/cert1.pem
lrwxrwxrwx 1 root root 37 Aug 8 2020 chain.pem -> ../../archive/furtopia.org/chain1.pem
lrwxrwxrwx 1 root root 41 Aug 8 2020 fullchain.pem -> ../../archive/furtopia.org/fullchain1.pem
lrwxrwxrwx 1 root root 39 Aug 8 2020 privkey.pem -> ../../archive/furtopia.org/privkey1.pem
-rw-r--r--+ 1 root root 692 Aug 8 2020 README

However the cert is still mast dated. Looking inside: /etc/letsencrypt/archive/furtopia.org:
total 40
drwxr-xr-x+ 2 root root 4096 May 4 00:19 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2212 Aug 8 2020 cert1.pem
-rw-r--r--+ 1 root root 2110 May 4 00:19 cert2.pem
-rw-r--r--+ 1 root root 1647 Aug 8 2020 chain1.pem
-rw-r--r--+ 1 root root 1586 May 4 00:19 chain2.pem
-rw-r--r--+ 1 root root 3859 Aug 8 2020 fullchain1.pem
-rw-r--r--+ 1 root root 3696 May 4 00:19 fullchain2.pem
-rw-------+ 1 root root 1704 Aug 8 2020 privkey1.pem
-rw-------+ 1 root root 1708 May 4 00:19 privkey2.pem

Notice the *2.pem files are dated may. The *1.pem are not. Not sure why. Should I copy the *2.pem over the *1.pem?

1 Like

No, the symbolic links need to point to the ~2.pem files.

1 Like

We really need the outputs of these commands in order to proceed properly:

sudo ls -lRa /etc/letsencrypt/archive
sudo ls -lRa /etc/letsencrypt/live
sudo apachectl -S

This isn't a one-step fix. There are tendrils to unwind.

You shouldn't be manually doing anything at all in the /etc/letsencrypt directory since that's how this situation was created in the first place.

@certbot-devs, the case of "someone manually modified /etc/letsencrypt somehow and then persistently ended up with symlinks from one certificate's live pointing into a different certificate's archive, causing certbot renew not to have the expected effect even if re-run" seems to keep happening. Has anybody ever identified what specific kind of tampering with /etc/letsencrypt causes this and whether Certbot might be able to easily detect this case and issue a useful warning?

I feel like we've been encountering this issue on and off for some years now, and the README files in the certificate storage directories are great but clearly not everybody has read them. :slight_smile:

1 Like

Results is apachectl -S (ls output already posted):
sudo apachectl -S
[Thu May 06 08:45:33.589206 2021] [so:warn] [pid 12456] AH01574: module mpm_itk_module is already loaded, skipping
VirtualHost configuration:
192.168.1.10:80 is a NameVirtualHost
default server furtopia.org (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost furtopia.org (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost artstyle.us (/etc/apache2/sites-enabled/artstyle.conf:1)
alias www.artstyle.us
alias artstyle.us
port 80 namevhost forums.furtopia.org (/etc/apache2/sites-enabled/f_forums.conf:1)
alias www.forums.furtopia.org
alias forums.furtopia.org
port 80 namevhost kylee.furtopia.org (/etc/apache2/sites-enabled/f_kylee.conf:1)
alias www.kylee.furtopia.org
alias kylee.furtopia.org
port 80 namevhost mrinitialman.furtopia.org (/etc/apache2/sites-enabled/f_mrinitialman.conf:1)
alias www.mrinitialman.furtopia.org
alias mrinitialman.furtopia.org
port 80 namevhost oldrabbit.com (/etc/apache2/sites-enabled/f_oldrabbit_com.conf:1)
alias www.oldrabbit.com
alias oldrabbit.com
port 80 namevhost oldrabbit.org (/etc/apache2/sites-enabled/f_oldrabbit_org.conf:1)
alias www.oldrabbit.org
alias oldrabbit.org
port 80 namevhost furtopia.org (/etc/apache2/sites-enabled/furtopia.conf:1)
alias www.furtopia.org
alias furtopia.org
port 80 namevhost kcff.net (/etc/apache2/sites-enabled/i_kcff.conf:1)
alias www.kcff.net
alias kcff.net
port 80 namevhost twotreesinc.org (/etc/apache2/sites-enabled/i_twotreesinc.conf:1)
alias www.twotreesinc.org
alias twotreesinc.org
port 80 namevhost warights.org (/etc/apache2/sites-enabled/i_warights.conf:1)
alias www.warights.org
alias warights.org
port 80 namevhost whiteshepherd.net (/etc/apache2/sites-enabled/i_whiteshepherd.conf:1)
alias www.whiteshepherd.net
alias whiteshepherd.net
port 80 namevhost inlightof.us (/etc/apache2/sites-enabled/inlightof.conf:1)
alias www.inlightof.us
alias inlightof.us
port 80 namevhost irc.furtopia.org (/etc/apache2/sites-enabled/ircd.conf:1)
alias irc.furtopia.org
port 80 namevhost services.inlightof.us (/etc/apache2/sites-enabled/services.conf:1)
alias services.inlightof.us
alias services.furtopia.org
alias services.artstyle.us
port 80 namevhost testme.furtopia.org (/etc/apache2/sites-enabled/testme.furtopia.org.conf:1)
alias www.testme.furtopia.org
alias testme.furtopia.org
192.168.1.10:443 is a NameVirtualHost
default server artstyle.us (/etc/apache2/sites-enabled/artstyle_ssl.conf:1)
port 443 namevhost artstyle.us (/etc/apache2/sites-enabled/artstyle_ssl.conf:1)
alias www.artstyle.us
alias artstyle.us
port 443 namevhost forums.furtopia.org (/etc/apache2/sites-enabled/f_forums_ssl.conf:1)
alias www.forums.furtopia.org
alias forums.furtopia.org
port 443 namevhost kylee.furtopia.org (/etc/apache2/sites-enabled/f_kylee_ssl.conf:1)
alias www.kylee.furtopia.org
alias kylee.furtopia.org
port 443 namevhost mrinitialman.furtopia.org (/etc/apache2/sites-enabled/f_mrinitialman_ssl.conf:1)
alias www.mrinitialman.furtopia.org
alias mrinitialman.furtopia.org
port 443 namevhost oldrabbit.com (/etc/apache2/sites-enabled/f_oldrabbit_com_ssl.conf:1)
alias www.oldrabbit.com
alias oldrabbit.com
port 443 namevhost oldrabbit.org (/etc/apache2/sites-enabled/f_oldrabbit_org_ssl.conf:1)
alias www.oldrabbit.org
alias oldrabbit.org
port 443 namevhost furtopia.org (/etc/apache2/sites-enabled/furtopia_ssl.conf:1)
alias www.furtopia.org
alias furtopia.org
port 443 namevhost kcff.net (/etc/apache2/sites-enabled/i_kcff_ssl.conf:1)
alias www.kcff.net
alias kcff.net
port 443 namevhost twotreesinc.org (/etc/apache2/sites-enabled/i_twotreesinc_ssl.conf:1)
alias www.twotreesinc.org
alias twotreesinc.org
port 443 namevhost warights.org (/etc/apache2/sites-enabled/i_warights_ssl.conf:1)
alias www.warights.org
alias warights.org
port 443 namevhost whiteshepherd.net (/etc/apache2/sites-enabled/i_whiteshepherd_ssl.conf:1)
alias www.whiteshepherd.net
alias whiteshepherd.net
port 443 namevhost inlightof.us (/etc/apache2/sites-enabled/inlightof_ssl.conf:1)
alias www.inlightof.us
alias inlightof.us
port 443 namevhost irc.furtopia.org (/etc/apache2/sites-enabled/ircd_ssl.conf:1)
alias irc.furtopia.org
port 443 namevhost services.inlightof.us (/etc/apache2/sites-enabled/services_ssl.conf:1)
alias services.inlightof.us
alias services.furtopia.org
alias services.artstyle.us
port 443 namevhost testme.furtopia.org (/etc/apache2/sites-enabled/testme.furtopia.org_ssl.conf:1)
alias www.testme.furtopia.org
alias testme.furtopia.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
ChrootDir: "/webpages"

1 Like

The current outputs of these?

sudo ls -lRa /etc/letsencrypt/archive
sudo ls -lRa /etc/letsencrypt/live

I don't believe we've ever managed to get instructions on how to reproduce this problem so that we could look into better safeguards here in Certbot.

1 Like

I can't leave my sites down all week. So so not interfere with links I made a backup of /etc/letsencrypt/archive/furtopia.org/ with a "cp -p" into a temp folder in a home user account. cp -p the *2.pem over the *1.pem and restarted apache. That got the sites up and running at least. I then restored with "cp -p" the original files back into /etc/letsencrypt/archive/furtopia.org/ so you can see how they were before the copy.

sudo ls -lRa /etc/letsencrypt/archive
sudo ls -lRa /etc/letsencrypt/live

root@inlightof:/home/pi/ssl/archive# ls -lRa /etc/letsencrypt/archive
/etc/letsencrypt/archive:
total 20
drwx------+ 5 root root 4096 Jan 19 22:18 .
drwxr-xr-x+ 9 root root 4096 May 7 00:29 ..
drwxr-xr-x+ 2 root root 4096 May 4 00:19 furtopia.org
drwxr-xr-x+ 2 root root 4096 Oct 25 2020 furtopia.org-0001
drwxr-xr-x+ 2 root root 4096 Jan 19 22:18 furtopia.org-0002

/etc/letsencrypt/archive/furtopia.org:
total 40
drwxr-xr-x+ 2 root root 4096 May 4 00:19 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2212 Aug 8 2020 cert1.pem
-rw-r--r--+ 1 root root 2110 May 4 00:19 cert2.pem
-rw-r--r--+ 1 root root 1647 Aug 8 2020 chain1.pem
-rw-r--r--+ 1 root root 1586 May 4 00:19 chain2.pem
-rw-r--r--+ 1 root root 3859 Aug 8 2020 fullchain1.pem
-rw-r--r--+ 1 root root 3696 May 4 00:19 fullchain2.pem
-rw-------+ 1 root root 1704 Aug 8 2020 privkey1.pem
-rw-------+ 1 root root 1708 May 4 00:19 privkey2.pem

/etc/letsencrypt/archive/furtopia.org-0001:
total 40
drwxr-xr-x+ 2 root root 4096 Oct 25 2020 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2171 Oct 23 2020 cert1.pem
-rw-r--r--+ 1 root root 2228 Oct 25 2020 cert2.pem
-rw-r--r--+ 1 root root 1647 Oct 23 2020 chain1.pem
-rw-r--r--+ 1 root root 1647 Oct 25 2020 chain2.pem
-rw-r--r--+ 1 root root 3818 Oct 23 2020 fullchain1.pem
-rw-r--r--+ 1 root root 3875 Oct 25 2020 fullchain2.pem
-rw-------+ 1 root root 1704 Oct 23 2020 privkey1.pem
-rw-------+ 1 root root 1704 Oct 25 2020 privkey2.pem

/etc/letsencrypt/archive/furtopia.org-0002:
total 24
drwxr-xr-x+ 2 root root 4096 Jan 19 22:18 .
drwx------+ 5 root root 4096 Jan 19 22:18 ..
-rw-r--r--+ 1 root root 2110 Jan 19 22:18 cert1.pem
-rw-r--r--+ 1 root root 1586 Jan 19 22:18 chain1.pem
-rw-r--r--+ 1 root root 3696 Jan 19 22:18 fullchain1.pem
-rw-------+ 1 root root 1704 Jan 19 22:18 privkey1.pem

and

root@inlightof:/home/pi/ssl/archive# ls -lRa /etc/letsencrypt/live
/etc/letsencrypt/live:
total 28
drwx------+ 6 root root 4096 Jan 19 22:18 .
drwxr-xr-x+ 9 root root 4096 May 7 00:29 ..
drwxr-xr-x+ 2 root root 4096 May 5 11:59 furtopia.org
drwxr-xr-x+ 2 root root 4096 May 5 06:55 furtopia.org-0001
drwxr-xr-x+ 2 root root 4096 May 5 06:55 furtopia.org-0002
drwxr-xr-x+ 2 root root 4096 Aug 10 2020 furtopia.org.old.1
-rw-r--r--+ 1 root root 740 Aug 8 2020 README

/etc/letsencrypt/live/furtopia.org:
total 12
drwxr-xr-x+ 2 root root 4096 May 5 11:59 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 36 May 5 11:59 cert.pem -> ../../archive/furtopia.org/cert2.pem
lrwxrwxrwx 1 root root 37 May 5 11:59 chain.pem -> ../../archive/furtopia.org/chain2.pem
lrwxrwxrwx 1 root root 41 May 5 11:59 fullchain.pem -> ../../archive/furtopia.org/fullchain2.pem
lrwxrwxrwx 1 root root 39 May 5 11:59 privkey.pem -> ../../archive/furtopia.org/privkey2.pem
-rw-r--r--+ 1 root root 692 Apr 11 12:37 README

/etc/letsencrypt/live/furtopia.org-0001:
total 12
drwxr-xr-x+ 2 root root 4096 May 5 06:55 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 41 May 5 06:55 cert.pem -> ../../archive/furtopia.org-0001/cert2.pem
lrwxrwxrwx 1 root root 42 May 5 06:55 chain.pem -> ../../archive/furtopia.org-0001/chain2.pem
lrwxrwxrwx 1 root root 46 May 5 06:55 fullchain.pem -> ../../archive/furtopia.org-0001/fullchain2.pem
lrwxrwxrwx 1 root root 44 May 5 06:55 privkey.pem -> ../../archive/furtopia.org-0001/privkey2.pem
-rw-r--r--+ 1 root root 692 Oct 30 2020 README

/etc/letsencrypt/live/furtopia.org-0002:
total 12
drwxr-xr-x+ 2 root root 4096 May 5 06:55 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 41 May 5 06:55 cert.pem -> ../../archive/furtopia.org-0002/cert1.pem
lrwxrwxrwx 1 root root 42 May 5 06:55 chain.pem -> ../../archive/furtopia.org-0002/chain1.pem
lrwxrwxrwx 1 root root 46 May 5 06:55 fullchain.pem -> ../../archive/furtopia.org-0002/fullchain1.pem
lrwxrwxrwx 1 root root 44 May 5 06:55 privkey.pem -> ../../archive/furtopia.org-0002/privkey1.pem
-rw-r--r--+ 1 root root 692 Jan 19 22:18 README

/etc/letsencrypt/live/furtopia.org.old.1:
total 12
drwxr-xr-x+ 2 root root 4096 Aug 10 2020 .
drwx------+ 6 root root 4096 Jan 19 22:18 ..
lrwxrwxrwx 1 root root 36 Aug 8 2020 cert.pem -> ../../archive/furtopia.org/cert1.pem
lrwxrwxrwx 1 root root 37 Aug 8 2020 chain.pem -> ../../archive/furtopia.org/chain1.pem
lrwxrwxrwx 1 root root 41 Aug 8 2020 fullchain.pem -> ../../archive/furtopia.org/fullchain1.pem
lrwxrwxrwx 1 root root 39 Aug 8 2020 privkey.pem -> ../../archive/furtopia.org/privkey1.pem
-rw-r--r--+ 1 root root 692 Aug 8 2020 README

1 Like

Actually looks like the live links are now pointing to the *2.pem files so it maybe fixed now?

1 Like

Yep, the certificate files are now in order. However, there are still some things to cleanup to prevent future issues.

The next step would be to determine if the certificates named furtopia.org-0001 and furtopia.org-0002 are actually used in any of the apache configuration files in /etc/apache2/sites-available. Looking at the output of sudo certbot certificates will allow you to determine if there is different domain coverage between the three certificates you have. The goal is to reduce your configuration to only be using the certificate named furtopia.org so that the certificates named furtopia.org-0001 and furtopia.org-0002 can be safely deleted using sudo certbot delete --cert-name furtopia.org-0001 and sudo certbot delete --cert-name furtopia.org-0002.

As a note, all of the files in /etc/apache2/sites-enabled should be symbolic links to actual files with the same names in /etc/apache2/sites-available. If there are any actual files in /etc/apache2/sites-enabled, there's some confusion and redundancy that needs to be straightened out.