Certonly strange bahavior

Hello,
I’m updating the outdated certificate manually with “certonly” for mail server. I have two mail domains. So, I run it two times, one for each domain. One of them works fine, everything looks ok in the log and updated certificate works.
But not the second one. Certbot creates a new subdirectory with ‘-0001’ suffix and saves new files there, instead of updating the existing subdirectory. It’s not so good, because I need to edit the .sh script, which updates the .db file in Postfix. But I’ve edited it and tried to update the DB file, but it doesn’t work. At least I see an error when I try to get emails, saying that mail server certificate is outdated.
OK. Then I’ve tried to delete all ‘-0001’ subdirectories from appropriate locations within /etc/letsencrypt/ directory, as well as the “original” subdirectories (i.e. without suffix) for that mail domain. Then I run the certbot again. Now it has created the subdirectory without any suffix, and my mail server is working again.

So, my question is: what could be the reason of such ‘-0001’ suffix creation? Why it has occured for one domain only? How to avoid such problem in future?

My certbot version is 0.31.0-1 on Debian 10.

Thank you.

1 Like

Hi @DeadlineX

the documentation answers your question.

-d DOMAIN, --domains DOMAIN, --domain DOMAIN
                        Domain names to apply. For multiple domains you can
                        use multiple -d flags or enter a comma separated list
                        of domains as a parameter. The first domain provided
                        will be the subject CN of the certificate, and all
                        domains will be Subject Alternative Names on the
                        certificate. The first domain will also be used in
                        some software user interfaces and as the file paths
                        for the certificate and related material unless
                        otherwise specified or you already have a certificate
                        with the same name. In the case of a name collision it
                        will append a number like 0001 to the file path name.
2 Likes

HI,
I don’t understand why certbot works differently for two visually similar domains. According to the quoted description 0001 suffix should be created for both domains, as both of them had existing (expired) certificates. Nevertheless, certbot has added new files into existing subdirectory for one domain, but has created new subdirectory for another domain.

Maybe I don’t understand what the description states?

1 Like

-0001 type suffixes are created when a cert is being created that would have the exact same name but would not cover the exact set of domain names.
So that there will then be two “similar” names; one as domain.name and the other as domain.name-0001.
Both being active at the same time.
An easy example that would cause this is for one to get a cert that covers a single name:
domain.name
The cert folder for that would be domain.name.
Then a week later (or whenever, while the first cert is still active)…
You get a cert to cover:
domain.name and www.domain.name
This tries to create a cert folder domain.name but realizes that name is already taken…
So it calls this new cert folder domain.name-0001 to differentiate them.

3 Likes

If you’re running interactively, in that case Certbot should ask you if you want to expand the existing certificate (hopefully most users would understand that they should answer “expand” to avoid the -0001).

A case in which it would happen without prompting at all is:

  • initially request domain.name and www.domain.name
  • later, request domain.name (without www.domain.name) or domain.name + mail.domain.name (without www.domain.name)

The absence of any existing name in the new list will cause the -0001 duplicate certificate to be created without warning or prompting the user (which is unfortunate in retrospect, because it’s most often not what the user wanted).

2 Likes

I can’t check if my case falls under these conditions, as I’ve already re-created the certificate, but your explanation seems like just my case.
Thank you.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.