Certbot - List Certificates Issued

I am a bit confused after trying so many things so that I am no longer 100% sure which certificates I installed on my new server (VPS). Is there a way of checking this? I am afraid of simply re-running the same command I previously used to create the certificates (i.e. sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com) because I’m worried that might destroy them and leave me with an even more broken site. Indeed, I believe that I have all the certificates I need but since I am having trouble getting the forum sub-domain to work, I wanted to double check without breaking the other ones.

Also, I noticed that I have two folders in /etc/letsencrypt/live, one called test.mydomain.com and mydomain.com. The reason for this is that I first created a cert for the test-subdomain and later added the other domains. But I thought that re-running the command with additional domains would simply replace the old set of files rather than add a new set. But apparently that is not the case so now I am wondering whether I need both of them or if the older one has simply become redundant. That’s another reason I’d like to check which domains are included in each of the…

Hi @tophee

Review this article: Certbot - List of Managed Certificates After Renewals


1 Like

Thanks! It turns out that I am indeed missing the forum subdomain in my certificates. The big question is: will I be able to add these without destroying the ones I have if the retrieval doesn’t work (e.g. because my NGINX is now configured for https for all domains…)?

Certbot never replaces existing certificates unless it believes it successfully obtained the replacement certificate. What's more, it never deletes the old certificates either. They still exist in a directory called /etc/letsencrypt/archive, which is never supposed to be referred to directly by the end user under normal circumstances, but in any case your previous certificates would still exist there.

By default a new lineage like this will be created if you ever request a set of domains that's not a strict superset of an existing one. For example, if you have a single existing certificate for a.example.com, b.example.com, and c.example.com, requesting a new one for just b.example.com would create a separate lineage; so would requesting for b.example.com, c.example.com, and d.example.com.

[quote]That's another reason I'd like to check which domains are included in each of the.../quote]

Hopefully the certbot certificates command that @ahaw021 suggested will work for you (provided that you have a recent enough version of Certbot installed). If not, we can suggest some commands with the openssl command line program.

1 Like

Yes, that was very helpful (and so simple!). However, I also learned that there was no need for me to install certbot given that I already had letsencrypt installed:

and that I better not use both of them:

So I avoided using certbot and did letsencrypt certificates instead, which worked just fine.

@tophee, although the name was changed from letsencrypt to certbot, all of the methods of distributing Certbot still provide the letsencrypt name for backwards compatibility.

In particular, the introduction of the certificates command long post-dates the switch of the official name from letsencrypt to certbot. :slight_smile:

If you got both commands from the same package/distribution method, there’s no trouble with running them interchangeably because they will actually be the same version and use the same file format.

1 Like

So this is not correct?

Apparently not… sorry for the confusion!

1 Like

You can double-check that they are the same version by running

certbot --version

letsencrypt --version

Hopefully, they’ll return the same version, showing that they are just alternative aliased names for one another.

They do!! (version 0.11.1)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.