Certbot delete and -0001 in cert names

gilgongo · April 29, 2024, 7:31pm

Just wanted to clarify on the use of certbot delete here.

I had one site with a certificate that had two domains on it. I wanted to split the site into two separate sites, each with their own certificate.

When I created the site originally, I ran:

certbot --apache -d www.domainA.com -d www.domainB.com

To split them out into two, I first ran this to remove www.domainB.com:

certbot --apache -d www.domainA.com

then set up the new website with its own certificate and ran:

certbot --apache -d www.domainB.com

That works, but in the config file for www.domainA.com I see:

SSLCertificateFile /etc/letsencrypt/live/www.domainA.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domainA.com-0001/privkey.pem

I take it I should have used certbot delete to do this, but how exactly would I have done so?

Is it with certbot delete --cert-name www.domainB.com before setting up the new site with certbot --apache -d www.domainB.com?

Thanks.

schoen · April 29, 2024, 8:03pm

Hi @gilgongo,

That command wouldn't have worked because there was no certificate named www.domainB.com.

A command that would have run successfully in this case is certbot delete --cert-name www.domainA.com but this would have had the disadvantage of breaking your Apache configuration (since that certificate was in use).

The way to "remove" domainB would have been

certbot --apache --cert-name www.domainA.com -d www.domainA.com

That is, re-issue the www.domainA.com certificate while forcing it to contain only the single name. The -0001 happened because Certbot assumed (incorrectly in this case) that you didn't want to reduce the coverage of the existing certificate, so it made a completely separate one to protect the existing one.

Osiris · April 29, 2024, 8:05pm

Deleting the cert first isn't necessary and is probably even unwise: Apache requires the cert, so deleting it would break Apache.

You could have used the --cert-name option to overwrite the original cert with the new one.

I would have first generated one of the two new certs and afterwards override the existing cert with the other hostname.

gilgongo · April 29, 2024, 8:28pm

Thanks. BTW I assume there's nothing wrong with having the -0001 version, is there? Or might it store up problems for the future? In which case should I go back to the original one and remove the domain from it (and use it for the site's Apache config before deleting the -0001 version)?

schoen · April 29, 2024, 8:35pm

No, there's nothing wrong with it in principle. You can always run certbot certificates to check which certificates you have and what their coverage is.

system · May 29, 2024, 8:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove a domain from a multiple-domain certificate? Help	3	2223	August 13, 2019
Dismiss a domain and relative certificate procedure (certbot) Server	8	1764	January 4, 2018
Certbot tries to renew deleted domains Help	4	3612	October 26, 2017
How to remove sites I removed from Apache? Help	10	1159	December 19, 2020
Where come the Alternative Names from? Help	3	471	August 27, 2020

Certbot delete and -0001 in cert names

Related topics