Certbot appends numbers to the end of certificate name. Is that normal?

Hello.

I was wondering if it was normal to get multiple Certificate Names with numbers attached to them like example.com–0001

the following is an example output when doing certbot certificates

Found the following certs:
  Certificate Name: example.com-0001
    Domains: example.com cool.example.com def.example.com ghi.example.com jkl.example.com mno.example.com parse.example.com success.example.com test.example.com www.example.com xyz.example.com
    Expiry Date: 2020-05-24 17:45:32+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/example.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com-0001/privkey.pem
  Certificate Name: example.com-0002
    Domains: example.com cool.example.com ghi.example.com parse.example.com success.example.com test.example.com www.example.com
    Expiry Date: 2020-05-24 09:24:50+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/example.com-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com-0002/privkey.pem
  Certificate Name: example.com-0003
    Domains: example.com cool.example.com first.example.com parse.example.com success.example.com test.example.com www.example.com xyz.example.com
    Expiry Date: 2020-05-25 15:12:16+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com-0003/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com-0003/privkey.pem
  Certificate Name: example.com-0004
    Domains: example.com cool.example.com parse.example.com success.example.com test.example.com www.example.com xyz.example.com
    Expiry Date: 2020-05-26 06:27:54+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com-0004/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com-0004/privkey.pem
  Certificate Name: example.com
    Domains: example.com abc.example.com cool.example.com parse.example.com success.example.com test.example.com www.example.com xyz.example.com
    Expiry Date: 2020-05-24 04:51:15+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

I don’t really like the numbers being attached. not sure why it’s happening.
I really think I should have 1 certificate but I think it shows 4 or 5

I automatically create certificates for subdomains when the user clicks a create subdomain button. I use node js exec to make the commands and the server is linux

the command looks like this
certbot -d example.com -d cool.example.com -d test.example.com -d parse.example.com -d www.example.com -d success.example.com -d xyz.example.com --expand --redirect

I basically get those domains when I automatically update the server_name in the nginx /sites-available/default file. I get it from that server_name line then add the -ds then execute the command every time the user clicks the button.

My concern if I keep doing this I will have tons of “certificate names” with the numbers appended (“0001”).

I don’t know if I should be concerned about it.

I’m using certbot version 0.31.0
Ubuntu 18.04.3 LTS
I login as root
Also I noticed that the redirects weren’t automatically added in the second server block in the default file I thought the --redirect option was supposed to handle the redirect but it doesn’t look like its doing it.

1 Like

Hi @jack2ky

that’s the result of your command.

Read

looking 001:

In the case of a name collision it will append a number like 0001 to the file path name.

You can use --cert-name to overwrite an existing certificate. But one error -> and the wrong certificate is overwritten.

So: There is no real problem with these numbers, ignore these.

1 Like

When you’re only adding names, and you use the --expand option (or choose it in the interactive prompt), Certbot will save the new certificate in place of the old one.

When removing domains – or adding and removing domains – Certbot will save it in a new directory.

What you’ve got is the expected – if not good – outcome from repeatedly adding and removing domains over time.

As @JuergenAuer said, you can use the --cert-name option to have Certbot replace an existing certificate regardless of whether you’re adding or removing domains.

Having all of these certificates is somewhat problematic – on the one hand, continuing to renew them wastes resources. On the other hand, if you’ve removed names that no longer work, Certbot will try and fail to renew them, which also wastes resources. On top of that, if your web server is configured to use a certificate that’s failing to renew, your websites will break when it expires!

It would be good to choose one certificate, configure all of your software to use it, and use certbot delete to delete the others.

1 Like

Thanks for your answer. Real helpful.
I just want some clarification.
The command:
certbot -d example.com -d cool.example.com -d test.example.com -d parse.example.com -d www.example.com -d success.example.com -d xyz.example.com --expand --redirect

Is the command that I used the proper way to add and remove sub-domains?
When I use the command above is that adding a new certificate? If it does I don’t think I need multiple certificates for many subdomains. Correct me if I’m wrong.

I just want to attach subdomains to example.com.
I’m going to be using that command a lot with the updated list of subdomains

I’m assuming that there is a name collision because every time I run the command example.com is the first name. Although sometimes I think it doesn’t create the new certificate name so it’s a little weird.

I think your saying that the name collision stuff won’t really affect my https sites so I don’t really have to do anything. But I was still courious about the info I mentioned above.

It’s ok if you don’t want to answer. If you don’t I will probably just continue running those commands with updated long lists of domains and home everything will be ok.

Thanks.

1 Like

It’s a proper way to add names. It’s not a proper way to remove names.

2 Likes

@mnordhoff
So I think I’m going to go with your plan. Correct me if my thought process is wrong.

I’m going to delete all the certificates by name by doing something like.

certbot delete --cert-name example.com-0004
certbot delete --cert-name example.com-0001
certbot delete --cert-name example.com
etc…

create certificate like certbot -d example.com -d cool.example.com for example.com add one subdomain to start off.

Then when the user clicks a button to add a subdomain for example, newone.example.com I could do this command

certbot -d example.com -d cool.example.com -d newone.example.com --cert-name example.com (question: do I keep "example.com as the first one if I’m using it as cert-name?")

When the user wants to remove newone.example.com I will do command :
certbot -d example.com -d cool.example.com -d --cert-name example.com

Notice newone.example.com is missing.
Is this the better way to remove and add subdomains?
Is that the exact commands to use.

This way certbot won’t fail when renewing as you mentioned?

EDIT:
Or maybe I should delete the old certificate and a new one very time the user clicks the button?

1 Like

That plan sounds fine, except for two things (plus the typo mentioned at the bottom of this post).

One, don’t delete all of your certificates. If you delete certificates that your web server is using, it will break, which will also interfere with getting new certificates to fix the problem!

Delete all but one of your certificates, sure. But don’t delete all of them.

Two, have you read the page about Let’s Encrypt’s rate limits?

If you’re adding new subdomains more than a few dozen times per week, that will be a problem, and you should consider using a wildcard certificate instead.

Yes! If you don’t keep it, it would be removed from the new certificate. (It doesn’t have to be first, though.)

There’s an extra “-d” in that command, between “cool.example.com” and “--cert-name”, but yes.

2 Likes

Hmmm… Question: who’s your DNS host?

If it’s one that LE supports with a plugin, you can set up DNS validation & just get a wildcard certificate to issue to any subdomains that are created.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.