Yes, the "operative one" is defined by which one your Apache configuration is currently pointing at, causing Apache to read that one from disk when it's started up. There is no other relevant definition of the operative one, and Certbot in some sense doesn't have a preference between the continued existence or use of one over the other.
If different virtual hosts in Apache are currently pointing to distinct certificates on disk, then there could be more than one "operative" certificate at a given time.
If you're concerned about deleting the wrong thing and breaking your setup, you can also make a backup, like
sudo rsync -a /etc/letsencrypt /tmp
Then you will have /tmp/letsencrypt containing copies of all of your certificates files (including the important symlink structure, thanks to -a) which could all be copied back if you delete something that turns out not to be what you meant to delete.
schoen, good stuff. I looked at my vhost-le-ssl.conf file. Here is a typical case (leaving out the DocumentRoot, ErrorLog, CustomLog lines that don't contribute to this discussion). NOTE THE REFERENCE TO THE -0001 CERTIFICATE:
All that was done by certbot (or God). I didn't make changes to the new cert name.
Bingo, now we know which one is the "operative" one. All the vhost blocks are the same except for the ServerName and Alias, of course.
Now I need to delete the original. Or do I? If I keep it because of the FUD factor, will I get into trouble because it includes the domain I don't want and will be transferring to another party? Or would the receiving party then have a problem getting the cert for their new domain?
If I do need to delete it, is it safe to just delete the original cert without performing that sequence of things in the "Safely deleting certificates" instructions? I'm hoping for a "it's safe" answer.
Complete step 4. Did certbot renew --dry-run and the listing of domains is perfect; the unwanted one is not present.
Case closed.
Lessons learned:
-- I know very little about certbot.
-- I know very little about certificates.
-- In the future, I could adopt my newly learned process:
Add or delete vhost blocks in vhost-le-ssl.conf
Use --expand to remove a domain (and or course to add one). Blasphemy, you say.
grep: /etc/nginx: No such file or directory
grep: /etc/apache2: No such file or directory
Delete the unwanted domain using:
certbot delete --cert-name example.com
where example.com is the cert name before starting this process.
OMG! That produces a huge list! I don't know what to do with it! I don't dare post it here, it will clobber this thread. Is there something specific I should for? Or ignore the whole thing just being happy it found "some" stuff?
Tip: if you don't want Certbot to create new certificates when modifying an existing one, use --cert-name when adding/removing hostnames instead of --expand.
Actually easier than I thought. Did a search on enfeedia.com and verified wherever it appeared, it was always enfeedia.com-0001, the cert I want. Always in /etc/httpd/conf.d/vhost-le-ssl.conf .
Unfortunately, Certbot doesn't have options like --add-domains and --remove-domains, so usually you'd just run sudo certbot .... with the commands you'd run the first time, but with a different set of domains for the -d option(s). As already stated in this thread, the --expand command is a little bit weird in the fact that it's supposed to be meant for adding domains, but there isn't an option like --contract, i.e., the opposite of --expand to remove domains.
All in all you can conclude the management of hostnames for existing certificates in Certbot is terrible and my advice is to use the exact same command as used previously but with a different set of -d option(s) and adding the --cert-name so you don't end up with multiple certificates.
Do I need to include the actual certificate name in the command? Or does the first domain in the list need to be the certificate name, i.e, in the example above existing.com?
What happens if I no longer want existing.com. If I leave it out, I assume the certificate gets a new name, right? With existing.com no longer in the list, is the new cert name the same as the next domain in the list after existing.com? And in this case, example.com would be the new cert name?
And used for adding or removing domains (by omission)? And both adding and removing in the same command?
Only if you don't specify --cert-name will a name be generated.
Now, will it be the first one specified in your request?
hmm...
I think certbot will sort the names and then pick the first one.
Here certbot tries to "best fit" the request to an already existing certificate.
If you specify the cert name it will be replaced by whatever is stated.
Which can be an add, or a remove, or an add and remove; As it is in fact a replacement of that cert.
Is the syntax correct for showing the coolguy.com certificate name, or is a prefix needed?
If I keep the cert-name provided (coolguy.com) in doing an add or removal from the certificate, is the update done preserving the cert name or is a new one created leaving me with need to properly delete the original?
A#1: Yes, it will create a cert by that name.
But the cert name doesn't need to look like a domain... it could also be --cert-name coolguy
The cert name is just a "text label" used to locate and manage that cert.
A#2: Yes; The use of --cert-name will force the result to be stored under that label.
[which will overwrite the previous use (if any)]
I will mark this as a solution within the next day or two, in case anyone else wishes to chime in.
(I pity the poor person who tries to review this topic from beginning to the final solution.)
I have to say it again, the gang on this thread has helped me so much, not to just solve the problem, but present stuff in a way I learned things I can take from this and never have this problem again. THANK YOU.
