Certbot-auto why generate multiple certificate server key folder


#1

Hi Team,

When I renew old wildcard certificate then everytime generate new certificate and server key. Please check why generate new certificate and server key folder

I am using command : -

./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.example.com

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com-0002/privkey.pem
Your cert will expire on 2019-04-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew”


#2

Usually this happens when you are requesting a new cert that’s missing one or more domain names that were on the original cert. For example - did you originally get a cert for both example.com and *.example.com ? If so, you are now requesting one for just *.example.com so that gets a new name.

Try running ./certbot-auto certificates to find out what existing certs you have and what domains they cover.

Also note that it’s safer to put the wildcard name in quotes i.e. -d '*.example.com' to protect it from unintended expansion by the shell.


#3

Yes I already checked, but certificates issue still same. The certificate generated with new folder of domain.Last time I don’t face any problem like that on same domain.


#4

I’m willing to bet that these two files contain a different set of names (SAN):

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com-0002/fullchain.pem


#5

Can you post – without editing it – the output of “sudo ./certbot-auto certificates” and the contents of /etc/letsencrypt/cli.ini?


#6

Found the following certs:
Certificate Name: ultimatereport.in-0003
Domains: *.ultimatereport.in
Expiry Date: 2019-04-15 13:42:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ultimatereport.in-0003/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ultimatereport.in-0003/privkey.pem

Because we are using logrotate for greater flexibility, disable the

internal certbot logrotation.

max-log-backups = 0


#7

There were no other certificates? Or other output?


#8

My question is why certbot change folder name ( certificate path )…??

Certificate Path: /etc/letsencrypt/live/ultimatereport.in-0003/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ultimatereport.in-0003/privkey.pem


#9

That should only happen if you tell it to, or if ultimatereport.in, ultimatereport.in-0001 and ultimatereport.in-0002 exist and have certificates for different names, or broken files.

Let’s Encrypt should display something about it.

There was no other output from the “sudo ./certbot-auto certificates” command?

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}” and upload /var/log/letsencrypt/letsencrypt.log somewhere?


#10

/etc/letsencrypt/archive/ultimatereport.in-0003:
total 24
drwxr-xr-x 2 root root 4096 Jan 15 15:42 .
drwx------ 22 root root 4096 Jan 15 19:07 …
-rw-r–r-- 1 root root 1919 Jan 15 15:42 cert1.pem
-rw-r–r-- 1 root root 1647 Jan 15 15:42 chain1.pem
-rw-r–r-- 1 root root 3566 Jan 15 15:42 fullchain1.pem
-rw------- 1 root root 1704 Jan 15 15:42 privkey1.pem

drwxr-xr-x 2 root root 4096 Jan 15 15:42 ultimatereport.in-0003

/etc/letsencrypt/live/ultimatereport.in-0003:
total 12
drwxr-xr-x 2 root root 4096 Jan 15 15:42 .
drwx------ 24 root root 4096 Jan 15 19:07 …
lrwxrwxrwx 1 root root 46 Jan 15 15:42 cert.pem -> …/…/archive/ultimatereport.in-0003/cert1.pem
lrwxrwxrwx 1 root root 47 Jan 15 15:42 chain.pem -> …/…/archive/ultimatereport.in-0003/chain1.pem
lrwxrwxrwx 1 root root 51 Jan 15 15:42 fullchain.pem -> …/…/archive/ultimatereport.in-0003/fullchain1.pem
lrwxrwxrwx 1 root root 49 Jan 15 15:42 privkey.pem -> …/…/archive/ultimatereport.in-0003/privkey1.pem
-rw-r–r-- 1 root root 692 Jan 15 15:42 README

-rw-r–r-- 1 root root 607 Jan 15 15:42 ultimatereport.in-0003.conf


#11

Still not resolve…


#12

There really aren’t any other certificates? No ultimatereport.in, ultimatereport.in-0001 or ultimatereport.in-0002? Did you delete them?


#13

Yes I did. but when I generate again certificate still same issue.
Again certbot-auto generated ultimatereport.in-0003


#14

At this point, after the other certificates have been deleted, there’s not much else you can do.

Certbot doesn’t have an easy way to rename certificates.

If possible, I’d recommend just leaving it as it is.

If Certbot unexpectedly duplicates your certificates in the future, you can post again and we can try to figure out what’s going on.


#15

How did you “delete” them?


#16

Still issue.

~ # ./certbot-auto certonly --manual -d *.solutionclub.in --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

Please choose an account


1: ubuntu16.howtoistart.com@2018-02-18T08:19:32Z (a75f)
2: ubuntu16.howtoistart.com@2018-07-06T10:57:05Z (89d3)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for solutionclub.in


Please deploy a DNS TXT record under the name
_acme-challenge.solutionclub.in with the following value:

n1C-4j2STO_Ya_mtxB7oE17gTA2NeODit8YL8pm_Was

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
archive directory exists for solutionclub.in


#17

Can you post “./certbot-auto certificates” and “ls -alR /etc/letsencrypt/{archive,live,renewal}” without editing or removing anything?


#18

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/solutionclub.in.conf

drwxr-xr-x 2 root root 4096 Nov 5 11:48 solutionclub.in
drwxr-xr-x 2 root root 4096 Jan 21 07:51 solutionclub.in-0001

/etc/letsencrypt/archive/solutionclub.in:
total 56
drwxr-xr-x 2 root root 4096 Nov 5 11:48 .
drwx------ 23 root root 4096 Jan 21 07:51 …
-rw-r–r-- 1 root root 2159 Jul 6 2018 cert1.pem
-rw-r–r-- 1 root root 2159 Sep 14 15:20 cert2.pem
-rw-r–r-- 1 root root 2159 Nov 5 11:48 cert3.pem
-rw-r–r-- 1 root root 1647 Jul 6 2018 chain1.pem
-rw-r–r-- 1 root root 1647 Sep 14 15:20 chain2.pem
-rw-r–r-- 1 root root 1647 Nov 5 11:48 chain3.pem
-rw-r–r-- 1 root root 3806 Jul 6 2018 fullchain1.pem
-rw-r–r-- 1 root root 3806 Sep 14 15:20 fullchain2.pem
-rw-r–r-- 1 root root 3806 Nov 5 11:48 fullchain3.pem
-rw-r–r-- 1 root root 1704 Jul 6 2018 privkey1.pem
-rw-r–r-- 1 root root 1704 Sep 14 15:20 privkey2.pem
-rw-r–r-- 1 root root 1704 Nov 5 11:48 privkey3.pem

/etc/letsencrypt/archive/solutionclub.in-0001:
total 24
drwxr-xr-x 2 root root 4096 Jan 21 07:51 .
drwx------ 23 root root 4096 Jan 21 07:51 …
-rw-r–r-- 1 root root 1915 Jan 21 07:51 cert1.pem
-rw-r–r-- 1 root root 1647 Jan 21 07:51 chain1.pem
-rw-r–r-- 1 root root 3562 Jan 21 07:51 fullchain1.pem
-rw------- 1 root root 1704 Jan 21 07:51 privkey1.pem

/etc/letsencrypt/live/solutionclub.in:
total 12
drwxr-xr-x 2 root root 4096 Nov 5 11:48 .
drwx------ 25 root root 4096 Jan 21 07:51 …
lrwxrwxrwx 1 root root 39 Nov 5 11:48 cert.pem -> …/…/archive/solutionclub.in/cert3.pem
lrwxrwxrwx 1 root root 40 Nov 5 11:48 chain.pem -> …/…/archive/solutionclub.in/chain3.pem
lrwxrwxrwx 1 root root 44 Nov 5 11:48 fullchain.pem -> …/…/archive/solutionclub.in/fullchain3.pem
lrwxrwxrwx 1 root root 42 Nov 5 11:48 privkey.pem -> …/…/archive/solutionclub.in/privkey3.pem
-rw-r–r-- 1 root root 682 Jul 6 2018 README

/etc/letsencrypt/live/solutionclub.in-0001:
total 12
drwxr-xr-x 2 root root 4096 Jan 21 07:51 .
drwx------ 25 root root 4096 Jan 21 07:51 …
lrwxrwxrwx 1 root root 44 Jan 21 07:51 cert.pem -> …/…/archive/solutionclub.in-0001/cert1.pem
lrwxrwxrwx 1 root root 45 Jan 21 07:51 chain.pem -> …/…/archive/solutionclub.in-0001/chain1.pem
lrwxrwxrwx 1 root root 49 Jan 21 07:51 fullchain.pem -> …/…/archive/solutionclub.in-0001/fullchain1.pem
lrwxrwxrwx 1 root root 47 Jan 21 07:51 privkey.pem -> …/…/archive/solutionclub.in-0001/privkey1.pem
-rw-r–r-- 1 root root 692 Jan 21 07:51 README

-rw-r–r-- 1 root root 597 Jan 21 07:51 solutionclub.in-0001.conf
-rw-r–r-- 1 root root 0 Jan 21 07:38 solutionclub.in.conf


#19

2nd time attempt certificate

~ # ./certbot-auto certonly --manual -d *.solutionclub.in --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

Please choose an account


1: ubuntu16.howtoistart.com@2018-02-18T08:19:32Z (a75f)
2: ubuntu16.howtoistart.com@2018-07-06T10:57:05Z (89d3)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for solutionclub.in


Please deploy a DNS TXT record under the name
_acme-challenge.solutionclub.in with the following value:

n1C-4j2STO_Ya_mtxB7oE17gTA2NeODit8YL8pm_Was

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/solutionclub.in-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/solutionclub.in-0001/privkey.pem
    Your cert will expire on 2019-04-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#20

~ # ./certbot-auto --version
certbot 0.30.0