Certbot Renew Created a Second Set of Domain-0001 certificates


#1

My domain is: amideastonline.org

I ran this command: certbot renew

It produced this output: A new folder with -0001 in the name and a second set of certificate files. The virtual server is still using the previous certificates, which expire in two weeks. The 0001 certificates expire in 90 days.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No. I use terminal window


#2

You just ran “certbot renew”? No other command line options? Not a different command?

Can you post the contents of “/etc/letsencrypt/cli.ini” and “/var/log/letsencrypt/letsencrypt.log”, and the output of “sudo certbot certificates” and “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”?


#3

No, I;m afraid it’s more complicated than just doing a “certbot renew” Before trying “certbot renew”, I used the following command: “certbot certonly --webroot --agree-tos --email my-name@my-domain-name.org -d my-domain-name.org -d www.my-domain-name.org -d mahara.my-domain-name.org -w /home/my-domain-name/public_html/”

That’s when things got weird. I did it this way first because my subdomain had already expired, but I now think it was a mistake. It created the -0001 certificates. It renewed the www certificates correctly. It skipped the subdomain stating that the web challenge didn’t work - not authorized. I then tried “certbot renew” and nothing renewed. The subdomain again gave the web challenge issue. I am less worried about the subdomain because it is rarely used by main domain has thousands of user accounts.

I don’t have /etc/letsencrypt/cli.ini

The “/var/log/letsencrypt/letsencrypt.log” is huge. Do you still want me to post it here?

Here’s what I get from “sudo certbot certificates”

Found the following certs:
Certificate Name: my-domain-name.org
Domains: my-domain-name.org mahara.my-domain-name.org www.my-domain-name.org
Expiry Date: 2019-01-30 01:18:25+00:00 (VALID: 11 days)
Certificate Path: /etc/letsencrypt/live/my-domain-name.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/my-domain-name.org/privkey.pem
Certificate Name: www.my-domain-name.org
Domains: my-domain-name.org www.my-domain-name.org
Expiry Date: 2019-04-18 00:33:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.my-domain-name.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.my-domain-name.org/privkey.pem
Certificate Name: my-domain-name.org-0001
Domains: my-domain-name.org
Expiry Date: 2019-04-18 01:16:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/my-domain-name.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/my-domain-name.org-0001/privkey.pem
Certificate Name: mahara.my-domain-name.org
Domains: mahara.my-domain-name.org
Expiry Date: 2019-01-06 07:46:20+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/mahara.my-domain-name.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mahara.my-domain-name.org/privkey.pem

Here’s what I get from “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”

drwx------ 6 root root 4096 Jan 18 06:12 .
drwxr-xr-x 9 root root 4096 Jan 18 10:04 …
drwxr-xr-x 2 root root 4096 Nov 1 04:18 my-domain-name.org
drwxr-xr-x 2 root root 4096 Jan 18 04:16 my-domain-name.org-0001
drwxr-xr-x 2 root root 4096 Oct 8 11:46 mahara.my-domain-name.org
drwxr-xr-x 2 root root 4096 Jan 18 03:33 www.my-domain-name.org

/etc/letsencrypt/archive/my-domain-name.org:
total 40
drwxr-xr-x 2 root root 4096 Nov 1 04:18 .
drwx------ 6 root root 4096 Jan 18 06:12 …
-rw-r–r-- 1 root root 2159 Oct 5 12:31 cert1.pem
-rw-r–r-- 1 root root 2232 Nov 1 04:18 cert2.pem
-rw-r–r-- 1 root root 1647 Oct 5 12:31 chain1.pem
-rw-r–r-- 1 root root 1647 Nov 1 04:18 chain2.pem
-rw-r–r-- 1 root root 3806 Oct 5 12:31 fullchain1.pem
-rw-r–r-- 1 root root 3879 Nov 1 04:18 fullchain2.pem
-rw-r–r-- 1 root root 1708 Oct 5 12:31 privkey1.pem
-rw-r–r-- 1 root root 1704 Nov 1 04:18 privkey2.pem

/etc/letsencrypt/archive/my-domain-name.org-0001:
total 56
drwxr-xr-x 2 root root 4096 Jan 18 04:16 .
drwx------ 6 root root 4096 Jan 18 06:12 …
-rw-r–r-- 1 root root 1919 Jan 18 03:37 cert1.pem
-rw-r–r-- 1 root root 1915 Jan 18 03:51 cert2.pem
-rw-r–r-- 1 root root 1919 Jan 18 04:16 cert3.pem
-rw-r–r-- 1 root root 1647 Jan 18 03:37 chain1.pem
-rw-r–r-- 1 root root 1647 Jan 18 03:51 chain2.pem
-rw-r–r-- 1 root root 1647 Jan 18 04:16 chain3.pem
-rw-r–r-- 1 root root 3566 Jan 18 03:37 fullchain1.pem
-rw-r–r-- 1 root root 3562 Jan 18 03:51 fullchain2.pem
-rw-r–r-- 1 root root 3566 Jan 18 04:16 fullchain3.pem
-rw------- 1 root root 1700 Jan 18 03:37 privkey1.pem
-rw------- 1 root root 1704 Jan 18 03:51 privkey2.pem
-rw------- 1 root root 1704 Jan 18 04:16 privkey3.pem

/etc/letsencrypt/archive/mahara.my-domain-name.org:
total 24
drwxr-xr-x 2 root root 4096 Oct 8 11:46 .
drwx------ 6 root root 4096 Jan 18 06:12 …
-rw-r–r-- 1 root root 2179 Oct 8 11:46 cert1.pem
-rw-r–r-- 1 root root 1647 Oct 8 11:46 chain1.pem
-rw-r–r-- 1 root root 3826 Oct 8 11:46 fullchain1.pem
-rw-r–r-- 1 root root 1704 Oct 8 11:46 privkey1.pem

/etc/letsencrypt/archive/www.my-domain-name.org:
total 56
drwxr-xr-x 2 root root 4096 Jan 18 03:33 .
drwx------ 6 root root 4096 Jan 18 06:12 …
-rw-r–r-- 1 root root 2175 Nov 1 04:20 cert1.pem
-rw-r–r-- 1 root root 1927 Dec 31 10:53 cert2.pem
-rw-r–r-- 1 root root 1952 Jan 18 03:33 cert3.pem
-rw-r–r-- 1 root root 1647 Nov 1 04:20 chain1.pem
-rw-r–r-- 1 root root 1647 Dec 31 10:53 chain2.pem
-rw-r–r-- 1 root root 1647 Jan 18 03:33 chain3.pem
-rw-r–r-- 1 root root 3822 Nov 1 04:20 fullchain1.pem
-rw-r–r-- 1 root root 3574 Dec 31 10:53 fullchain2.pem
-rw-r–r-- 1 root root 3599 Jan 18 03:33 fullchain3.pem
-rw-r–r-- 1 root root 1704 Nov 1 04:20 privkey1.pem
-rw-r–r-- 1 root root 1704 Dec 31 10:53 privkey2.pem
-rw-r–r-- 1 root root 1704 Jan 18 03:33 privkey3.pem

/etc/letsencrypt/live:
total 28
drwx------ 6 root root 4096 Jan 18 07:29 .
drwxr-xr-x 9 root root 4096 Jan 18 10:04 …
drwxr-xr-x 2 root root 4096 Nov 1 04:18 my-domain-name.org
drwxr-xr-x 2 root root 4096 Jan 18 04:16 my-domain-name.org-0001
drwxr-xr-x 2 root root 4096 Jan 18 07:29 mahara.my-domain-name.org
-rw-r–r-- 1 root root 740 Jan 18 03:37 README
drwxr-xr-x 2 root root 4096 Jan 18 03:33 www.my-domain-name.org

/etc/letsencrypt/live/my-domain-name.org:
total 12
drwxr-xr-x 2 root root 4096 Nov 1 04:18 .
drwx------ 6 root root 4096 Jan 18 07:29 …
lrwxrwxrwx 1 root root 42 Nov 1 04:18 cert.pem -> …/…/archive/my-domain-name.org/cert2.pem
lrwxrwxrwx 1 root root 43 Nov 1 04:18 chain.pem -> …/…/archive/my-domain-name.org/chain2.pem
lrwxrwxrwx 1 root root 47 Nov 1 04:18 fullchain.pem -> …/…/archive/my-domain-name.org/fullchain2.pem
lrwxrwxrwx 1 root root 45 Nov 1 04:18 privkey.pem -> …/…/archive/my-domain-name.org/privkey2.pem
-rw-r–r-- 1 root root 682 Oct 5 12:31 README

/etc/letsencrypt/live/my-domain-name.org-0001:
total 12
drwxr-xr-x 2 root root 4096 Jan 18 04:16 .
drwx------ 6 root root 4096 Jan 18 07:29 …
lrwxrwxrwx 1 root root 47 Jan 18 04:16 cert.pem -> …/…/archive/my-domain-name.org-0001/cert3.pem
lrwxrwxrwx 1 root root 48 Jan 18 04:16 chain.pem -> …/…/archive/my-domain-name.org-0001/chain3.pem
lrwxrwxrwx 1 root root 52 Jan 18 04:16 fullchain.pem -> …/…/archive/my-domain-name.org-0001/fullchain3.pem
lrwxrwxrwx 1 root root 50 Jan 18 04:16 privkey.pem -> …/…/archive/my-domain-name.org-0001/privkey3.pem
-rw-r–r-- 1 root root 692 Jan 18 03:37 README

/etc/letsencrypt/live/mahara.my-domain-name.org:
total 12
drwxr-xr-x 2 root root 4096 Jan 18 07:29 .
drwx------ 6 root root 4096 Jan 18 07:29 …
lrwxrwxrwx 1 root root 49 Oct 8 11:46 cert.pem -> …/…/archive/mahara.my-domain-name.org/cert1.pem
lrwxrwxrwx 1 root root 50 Oct 8 11:46 chain.pem -> …/…/archive/mahara.my-domain-name.org/chain1.pem
lrwxrwxrwx 1 root root 54 Oct 8 11:46 fullchain.pem -> …/…/archive/mahara.my-domain-name.org/fullchain1.pem
lrwxrwxrwx 1 root root 52 Oct 8 11:46 privkey.pem -> …/…/archive/mahara.my-domain-name.org/privkey1.pem
-rw-r–r-- 1 root root 682 Oct 8 11:46 README

/etc/letsencrypt/live/www.my-domain-name.org:
total 12
drwxr-xr-x 2 root root 4096 Jan 18 03:33 .
drwx------ 6 root root 4096 Jan 18 07:29 …
lrwxrwxrwx 1 root root 46 Jan 18 03:33 cert.pem -> …/…/archive/www.my-domain-name.org/cert3.pem
lrwxrwxrwx 1 root root 47 Jan 18 03:33 chain.pem -> …/…/archive/www.my-domain-name.org/chain3.pem
lrwxrwxrwx 1 root root 51 Jan 18 03:33 fullchain.pem -> …/…/archive/www.my-domain-name.org/fullchain3.pem
lrwxrwxrwx 1 root root 49 Jan 18 03:33 privkey.pem -> …/…/archive/www.my-domain-name.org/privkey3.pem
-rw-r–r-- 1 root root 682 Nov 1 04:20 README

/etc/letsencrypt/renewal:
total 28
drwxr-xr-x 2 root root 4096 Jan 18 08:13 .
drwxr-xr-x 9 root root 4096 Jan 18 10:04 …
-rw-r–r-- 1 root root 555 Jan 18 04:16 my-domain-name.org-0001.conf
-rw-r–r-- 1 root root 769 Nov 1 04:18 my-domain-name.org.conf
-rw-r–r-- 1 root root 692 Oct 8 11:46 mahara.my-domain-name.org.conf
-rw-r–r-- 1 root root 1024 Jan 18 08:13 .mahara.my-domain-name.org.conf.swp
-rw-r–r-- 1 root root 728 Jan 18 03:33 www.my-domain-name.org.conf


#4

It’s normal for Certbot to create a -0001 certificate if you create two different, partially overlapping certificates starting with the same name.

For example, if you run “certbot -d example.com -d example.net” and “certbot -d example.com -d example.org”, Certbot would name them example.com and example.com-0001.

You have a bunch of different, partly overlapping certificates now. What outcome do you want, exactly?

You could edit your Apache configuration to use the www.my-domain-name.org certificate and delete the others.

You could also try to fix the issue that’s preventing the mahara subdomain from renewing.

If you run “sudo certbot renew”, what does it output?

I don’t think so. :slightly_smiling_face:


#5

Thanks for you help. It’s a relief to be talking to someone after a rather frustrating day of searching for solutions.

I’d like to have all three certificates with matching expiration dates and renew at the same time.

Here’s what I get when I run “certbot renew”.

Last login: Fri Jan 18 09:50:44 2019 from 1.4.209.100
root@ns1:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/my-domain-name.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain-name.org
http-01 challenge for www.my-domain-name.org
http-01 challenge for mahara.my-domain-name.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (my-domain-name.org) from /etc/letsencrypt/renewal/amid eastonline.org.conf produced an unexpected error: Failed authorization procedure . mahara.my-domain-name.org (http-01): urn:ietf:params:acme:error:unauthorized : : The client lacks sufficient authorization :: Invalid response from http://maha ra.my-domain-name.org/.well-known/acme-challenge/RDGvuXu_xEYAutA7rWGT3dbzzag2S13 AdWAwMeAiBoE: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skippin g.

Processing /etc/letsencrypt/renewal/www.my-domain-name.org.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/my-domain-name.org-0001.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/mahara.my-domain-name.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mahara.my-domain-name.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mahara.my-domain-name.org) from /etc/letsencrypt/renew al/mahara.my-domain-name.org.conf produced an unexpected error: Failed authoriza tion procedure. mahara.my-domain-name.org (http-01): urn:ietf:params:acme:error: unauthorized :: The client lacks sufficient authorization :: Invalid response fr om http://mahara.my-domain-name.org/.well-known/acme-challenge/28Box2b6m8aa2E0Aq Tb2TKN-IHvVQBBUugdBpPT9VGw: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain-name.org/fullchain.pem (failure)
/etc/letsencrypt/live/mahara.my-domain-name.org/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.my-domain-name.org/fullchain.pem expires on 2019-04- 18 (skipped)
/etc/letsencrypt/live/my-domain-name.org-0001/fullchain.pem expires on 2019-04 -18 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain-name.org/fullchain.pem (failure)
/etc/letsencrypt/live/mahara.my-domain-name.org/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#6

Do you really need 3 certificates? You have 3 hostnames, but the first certificate includes all of them. The problem is just that it’s failing to renew.

What if you run:

sudo certbot certonly --cert-name amideastonline.org --webroot -w /first/directory -d amideastonline.org -w /second/directory -d mahara.amideastonline.org -w /third/directory -d www.amideastonline.org

Replacing the three directory paths with the document roots for each of your three websites as specified in Apache’s configuration.

From your earlier post, one or more of them should be /home/my-domain-name/public_html.

Do you know why mahara.amideastonline.org stopped working? Did its Apache configuration change?


#7

Thanks again for your help on this. I ran the command and it appeared to work as far as certbot is concerned. See below for the readout:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for amideastonline.org
http-01 challenge for www.amideastonline.org
http-01 challenge for mahara.amideastonline.org
Using the webroot path /home/amideastonline/public_html for all unmatched domain
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/amideastonline.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/amideastonline.org/privkey.pem
    Your cert will expire on 2019-04-18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

Unfortunately, when I checked the certificates in the browser for the main domain and subdomain, they were the same previous ones. Since certbot ran without any errors? Is it possible certbot is not updating the symlinks?

I’m also not sure what is happening with the mahara subdomain. I can go directly to it, although I have to work around the expired certificate, but the site works fine. I haven’t changed anything in the apache2 configuration. The certificate expired on January 6th. It is less important than the main domain for my users so I’m not overly concerned with it not updating. The main domain however expires on January 30th so I’ve got to get that one to update correctly.


#8

Did your command include “certonly” ?

Maybe you just need to restart the web service?


#9

Thank you! I did include “certonly” but I did not restart apache2. After doing so, I am now getting the correct certificate for the main domain. I’m most grateful for the community support here!

So in the future when the certificates are due for renewal, should I use this same command that worked this time or “certbot renew” ?

Any suggestions for the subdomain? It did not update, but there were no error messages about it.


#10

Please show output of:
certbot certificates
certbot renew
sudo crontab -l
systemctl list-timers


#11

Check which certificate it’s configured to use in the Apache virtual host. SSLCertificateFile, SSLCertificateKeyFile, and (with older versions of Apache) SSLCertificateChainFile. You might need to change it.


#12

Wow, I ran “certbot renew” and that updated the subdomain’s certificate. I reload apache2 and checked the site and ssl is working. Awesome. I can’t begin to thank you for your assistance. So, in the future I should only need to run “certbot renew” to upgrade when the certificates become due for renewal, right? Honestly, guys…I am truly appreciative for your help. This topic can be closed!!!

Best,
Dave


#13

It worked because of luck, not because the renewal configuration is working.

Because you got the other certificate today, your account can issue more certificates without validating again.

(Even though Certbot looks like it is validating again.)

So the subdomain certificate was able to renew whether or not its renewal configuration (/etc/letsencrypt/renewal/mahara.my-domain-name.org.conf) is actually correct.

Edit: Separately, you can set up a Certbot hook so that Certbot will automatically reload Apache after renewing certificates.