Certbot renew request saves certificates to -0001 to folder

I’ve been using Let’s Encrypt for almost a year and it’s fantastic - so well done to all involved.

I recently dockerized everything, and everything appears to be working very well except for a small issue I’m having around using certbot to renew my certificates.

The certbot renewal request went through, but it keeps saving the renewed certificates to a new folder with -0001 appended to my domain : /etc/letsencrypt/live/humankode.com-0001

The command I’m running is in a cron job.

I’m running Ubuntu 16.04 on an Amazon EC2 instance. Everything is dockerized.

The command I used to issue the renewal was:

sudo docker run --rm -it --name certbot \
-v "/docker-volumes/etc/letsencrypt:/etc/letsencrypt" \
-v "/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt" \
-v "/docker-volumes/data/letsencrypt:/data/letsencrypt" \
certbot/certbot \
certonly --webroot --webroot-path=/data/letsencrypt \
-d humankode.com -d www.humankode.com \
--renew-by-default \
--force-renewal \
--email email@gmail.com \
--agree-tos \
--manual-public-ip-logging-ok

The response I got was:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for humankode.com
http-01 challenge for www.humankode.com
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/humankode.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/humankode.com-0001/privkey.pem
   Your cert will expire on 2018-04-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Any suggestions on how to get around this, and why this is happening?

Please show:

ls -l /etc/letsencrypt/live/
certbot certificates

Hi @thecarlo,

The intended way to renew your certificates is just certbot renew (ideally twice a day from a cron job or systemd timer). If you specify the whole issuance command again, you do have a risk of getting the -0001 if you specify a list of domain names that's in any way different from the list of domain names covered by the existing certificate (whether by adding or removing names). Could you try running certbot certificates to see whether the coverage of your new and old certificates differs in some way?

1 Like

still waiting for the
certbot certificates

in the interim, take a look at: https://crt.sh/?q=humankode.com
which seems to indicate that your “renewal” process is actually issuing new certs…

also why use “certonly” ?

Hi @schoen,

I ran the certbot renew command:

sudo docker run --rm -it --name certbot \
-v "/docker-volumes/etc/letsencrypt:/etc/letsencrypt" \
-v "/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt" \
-v "/docker-volumes/data/letsencrypt:/data/letsencrypt" \
certbot/certbot \
renew 

And got the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/humankode.com-0001.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/humankode.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/humankode.com-0001.conf is broken. Skipping.

-------------------------------------------------------------------------------

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/humankode.com-0001.conf (parsefail)
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)

Any ideas on how to proceed from here? What would be the best way to reset the button in terms of getting rid of the existing artifacts so that I can issue a new cert and test certbot renew again?

Start with this:
certbot certificates

1 Like

Also you’re issuing a lot of certificates. Keep the rate limits in mind and use the staging environment to experiment (certbot --staging and certbot renew --dry-run).

https://crt.sh/?q=%humankode.com

https://letsencrypt.org/docs/rate-limits/

https://letsencrypt.org/docs/staging-environment/

1 Like

I deleted all the -0001 subfolders and artifacts.
ls -la /docker-volumes/etc/letsencrypt/live/humankode.com

returns
drwxr-xr-x 2 root root 4096 Dec 23 20:07 .
drwxr-xr-x 3 root root 4096 Jan 6 05:38 ..
-rw-r--r-- 1 root root 1818 Dec 23 20:06 cert.pem
-rw-r--r-- 1 root root 1647 Dec 23 20:06 chain.pem
-rw-r--r-- 1 root root 3465 Dec 23 20:07 fullchain.pem
-rw-r--r-- 1 root root 1708 Dec 23 20:07 privkey.pem
-rw-r--r-- 1 root root 543 Dec 23 20:07 README

If I run the command
sudo docker run --rm -it --name certbot
-v "/docker-volumes/etc/letsencrypt:/etc/letsencrypt"
-v "/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt"
-v "/docker-volumes/data/letsencrypt:/data/letsencrypt"
certbot/certbot
certificates

I get
-------------------------------------------------------------------------------
No certs found.
-------------------------------------------------------------------------------

Ok, I managed to solve the issue. Thanks for all the input.

I found the root of the problem.
When I initially created the certificate, I used a non-official docker certbot image to issue the initial certificates.

I used deliverous/certbot instead of the certbot/certbot image. Then, when I tried to renew the certificate, it placed the renewed certificates in a -0001 suffix folder.

I confirmed this by issuing new certificates using the --staging flag on the deliverous/certbot image, and then proceeded by attempting to renew the certificates using the certbot/certbot image, and then got the -0001 suffix folder.

I then deleted everything and issued new certificates using the certbot/certbot image, and renewed using the certbot/certbot image, and everything worked fine.

There were obviously differences in how the certificates were created with the deliverous/certbot image.

From now on, I’ll stick to the official certbot images.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.