Creating a certificate without certain domains

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: russkiy.fun

I ran this command: sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/russkiy.fun/fullchain.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/russkiy.fun/fullchain.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): Ubuntu 16.0.4

My hosting provider, if applicable, is: Amen.fr

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

————

I wanted to remove a domain name from my existing certificate, because this domain is no longer active on the server. I used the command sudo certbot delete --cert-name obsolete-name.net but when I ran sudo certbot certificates, I got the answer:

Found the following certs:
Certificate Name: russkiy.fun
Domains: obsolete-name.net dev.russkiy.fun russkiy.fun www.russkiy.fun
Expiry Date: 2019-05-14 23:45:08+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/russkiy.fun/fullchain.pem
Private Key Path: /etc/letsencrypt/live/russkiy.fun/privkey.pem

I thought: “OK. I’ll delete the russkiy.fun certificate and recreate it without obsolete-name.net”. But when I did that, calls to nginx -c /etc/nginx/nginx.conf -t failed because /etc/letsencrypt/live/russkiy.fun/fullchain.pem no longer existed.

“OK,” thought I, “I’ll recreate it, then nginx will be happy and we can continue.” But no: simply having an empty file at /etc/letsencrypt/live/russkiy.fun/fullchain.pem is not enough.

How can I reset certbot and nginx so that I can recreate my certificate from scratch?

#2

The Certbot nginx plugin won’t work until you have a working nginx configuration. It can’t perform that repair for you - you’ll need to do it by hand.

What you’ll want to do is just comment out those ssl_certiificate and ssl_certificate_key lines in your nginx configuration that point to the non-existent files. Work on that until it does not complain when you test the config:

nginx -t

Once the above command runs OK, you can continue working with Certbot.

#3

Hi @blackslate

your configuration should have a self signed certificate.

Use that (cert and private key), so your SSL should work.