I’m updating the outdated certificate manually with “certonly” for mail server. I have two mail domains. So, I run it two times, one for each domain. One of them works fine, everything looks ok in the log and updated certificate works.
But not the second one. Certbot creates a new subdirectory with ‘-0001’ suffix and saves new files there, instead of updating the existing subdirectory. It’s not so good, because I need to edit the .sh script, which updates the .db file in Postfix. But I’ve edited it and tried to update the DB file, but it doesn’t work. At least I see an error when I try to get emails, saying that mail server certificate is outdated.
OK. Then I’ve tried to delete all ‘-0001’ subdirectories from appropriate locations within /etc/letsencrypt/ directory, as well as the “original” subdirectories (i.e. without suffix) for that mail domain. Then I run the certbot again. Now it has created the subdirectory without any suffix, and my mail server is working again.
So, my question is: what could be the reason of such ‘-0001’ suffix creation? Why it has occured for one domain only? How to avoid such problem in future?
-d DOMAIN, --domains DOMAIN, --domain DOMAIN
Domain names to apply. For multiple domains you can
use multiple -d flags or enter a comma separated list
of domains as a parameter. The first domain provided
will be the subject CN of the certificate, and all
domains will be Subject Alternative Names on the
certificate. The first domain will also be used in
some software user interfaces and as the file paths
for the certificate and related material unless
otherwise specified or you already have a certificate
with the same name. In the case of a name collision it
will append a number like 0001 to the file path name.
I don’t understand why certbot works differently for two visually similar domains. According to the quoted description 0001 suffix should be created for both domains, as both of them had existing (expired) certificates. Nevertheless, certbot has added new files into existing subdirectory for one domain, but has created new subdirectory for another domain.
Maybe I don’t understand what the description states?
-0001 type suffixes are created when a cert is being created that would have the exact same name but would not cover the exact set of domain names.
So that there will then be two “similar” names; one as domain.name and the other as domain.name-0001.
Both being active at the same time.
An easy example that would cause this is for one to get a cert that covers a single name: domain.name
The cert folder for that would be domain.name.
Then a week later (or whenever, while the first cert is still active)…
You get a cert to cover: domain.name and www.domain.name
This tries to create a cert folder domain.name but realizes that name is already taken…
So it calls this new cert folder domain.name-0001 to differentiate them.
If you’re running interactively, in that case Certbot should ask you if you want to expand the existing certificate (hopefully most users would understand that they should answer “expand” to avoid the -0001).
A case in which it would happen without prompting at all is:
The absence of any existing name in the new list will cause the -0001 duplicate certificate to be created without warning or prompting the user (which is unfortunate in retrospect, because it’s most often not what the user wanted).