Certificate extension for 3rd level domains

My domain is: thomas.miglinci.name

I ran this command: certbot certonly --standalone -d www.thomas.miglinci.name -d thomas.miglinci.name
Checking afterwards using certbot certificates showed:


Found the following certs:
...
Certificate Name: www.thomas.miglinci.name
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:30:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thomas.miglinci.name/privkey.pem


Nevertheless, if opening a website with https://thomas.miglinci.name in Chrome brings up an invalide certificate warning.

I do have a forwarding from thomas.miglinci.name to www.thomas.miglinci.name via apache on my server, therefore I did not recognize this and to be honest, I did not care about this at all.
But with Bluesky you can use your domain as your handle, but thomas.miglinci.name was rejected as not being covered by the certificate?!

Thanks for any support
Thomas

1 Like

That is unusual to use --standalone when you have a running Apache server. The --standalone option requires exclusive use of port 80 so requires Apache to be stopped before-hand. Usually a --webroot or even certonly --apache is used instead.

That said, you have gotten certs with different combinations of your names. Some with just your www subdomain and some with that and your apex name. See pic below from https://crt.sh

Your Apache server is using one from Oct19 with only your www subdomain in it. Using that cert and your apex domain will fail with invalid cert. Which is what you see.

Please show output of these two commands

sudo certbot certificates
sudo apache2ctl -t -D DUMP_VHOSTS

2 Likes

Okay, I see.
Seems like I bricked it somehow. I did had some parallel entries in the live-directory with -0001 ending which were not used by my server. So I removed them - or lets say, I invalidated them by changing the extension to .bup; they are still there but are no longer recognized by certbot....
So is there a chance to revoke certificates just by their crt.sh ID ? Because then I would like to get rid of all but the first one.
I revoked this changes and here a the outputs:

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: cloud.viehai.at
Domains: cloud.viehai.at
Expiry Date: 2025-01-17 07:24:42+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/cloud.viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cloud.viehai.at/privkey.pem
Certificate Name: mail.viehai.at
Domains: mail.viehai.at
Expiry Date: 2025-01-17 07:24:53+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/mail.viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.viehai.at/privkey.pem
Certificate Name: thomas.miglinci.name-0001
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:13:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/privkey.pem
Certificate Name: thomas.miglinci.name
Domains: thomas.miglinci.name mail.viehai.at www.thomas.miglinci.name
Expiry Date: 2025-01-17 07:25:30+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thomas.miglinci.name/privkey.pem
Certificate Name: viehai.at
Domains: viehai.at www.viehai.at
Expiry Date: 2025-01-17 07:25:41+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/viehai.at/privkey.pem
Certificate Name: www.margarete.rozum.name
Domains: www.margarete.rozum.name
Expiry Date: 2025-01-23 08:44:07+00:00 (VALID: 55 days)
Certificate Path: /etc/letsencrypt/live/www.margarete.rozum.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.margarete.rozum.name/privkey.pem
Certificate Name: www.thomas.miglinci.name
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:30:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thomas.miglinci.name/privkey.pem


and

$ apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server srv4hai.viehai.at (/etc/apache2/sites-enabled/000-default.conf:3)
port 80 namevhost srv4hai.viehai.at (/etc/apache2/sites-enabled/000-default.conf:3)
port 80 namevhost www.viehai.at (/etc/apache2/sites-enabled/010-viehai.conf:1)
alias viehai.at
port 80 namevhost thomas.miglinci.name (/etc/apache2/sites-enabled/022-thomas.conf:1)
alias www.thomas.miglinci.name
port 80 namevhost margarete.rozum.name (/etc/apache2/sites-enabled/margarete.conf:1)
alias www.margarete.rozum.name
port 80 namevhost cloud.viehai.at (/etc/apache2/sites-enabled/owncloud.conf:1)
port 80 namevhost mail.viehai.at (/etc/apache2/sites-enabled/roundcube.conf:1)
*:443 is a NameVirtualHost
default server margarete.rozum.name (/etc/apache2/sites-enabled/margarete-le-ssl.conf:2)
port 443 namevhost margarete.rozum.name (/etc/apache2/sites-enabled/margarete-le-ssl.conf:2)
alias www.margarete.rozum.name
port 443 namevhost cloud.viehai.at (/etc/apache2/sites-enabled/owncloud-le-ssl.conf:2)
port 443 namevhost mail.viehai.at (/etc/apache2/sites-enabled/roundcube-le-ssl.conf:2)
port 443 namevhost thomas.miglinci.name (/etc/apache2/sites-enabled/thomas-le-ssl.conf:2)
alias www.thomas.miglinci.name
port 443 namevhost www.viehai.at (/etc/apache2/sites-enabled/viehai-le-ssl.conf:2)
alias viehai.at

thanks for your support
Thomas

1 Like

You have two certs covering the exact same names:

And you have another mixed name cert that also shares those same two names:

EDIT:
And the name mixed in has its' own cert:

3 Likes

To remove a Certbot cert you no longer need use:

sudo certbot delete --cert-name (cert-name)

Where (cert-name) is seen in the certificates list:

Certificate Name: thomas.miglinci.name-0001
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:13:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/privkey.pem

Be sure you no longer have any references to these files in Apache or other TLS services (mail servers and such).

Unless your system or private key has been compromised there is no need to revoke certs.

3 Likes

Thanks for the hints - at least I could get rid of the unnecessary entries.

best regards
Thomas

2 Likes