Delete domain from local cert authority

Help
1

"Trying" to help David, my son
His domain is :
duradera.co

certbot certificates:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/duradera.co.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Found the following certs:
Certificate Name: duradera.co-0001
Domains: duradera.co
Expiry Date: 2023-03-28 01:32:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/duradera.co-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/duradera.co-0001/privkey.pem
Certificate Name: plgroves.stream-0001
Domains: plgroves.stream www.plgroves.stream
Expiry Date: 2023-03-03 07:00:44+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/plgroves.stream-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/plgroves.stream-0001/privkey.pem
Certificate Name: plgroves.stream
Domains: plgroves.stream duradera.co www.duradera.co www.plgroves.stream
Expiry Date: 2023-03-28 01:32:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/plgroves.stream/fullchain.pem
Private Key Path: /etc/letsencrypt/live/plgroves.stream/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/duradera.co.conf

I ran this command:
certbot --apache --cert-name duradera.co-001 delete

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name duradera.co-001 (expected /etc/letsencrypt/renewal/duradera.co-001.conf).

OS: Ubuntu 18.04
Server is: apache2 ver. 2.4.29-1ubuntu4.25
apache 2
version = 0.27.0

One night, my son complained his site was down. I googled how to force renewal (not those exact words.) I got the standard reward for impatience.

I would like to properly remove this domain from my local certificate authority.

Screenshot_2022-12-28_09-33-46
Screenshot_2022-12-28_09-33-461920×1080 270 KB

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

To start ...

  1. the name of the cert ends in -0001 not -001
  2. the format of the delete command is wrong

But, why do you want to delete that one? Because it looks ok where the cert named duradera.co.conf looks faulty (the one without the sequence number)

Before deleting anything I recommend reading this section carefully. You can easily create a mess

https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

6 Likes
3

After you absorb the info about deleting certs, you should review your DNS settings because you have both an IPv4 and IPv6 address but the IPv6 address is not working. You should get it working or remove the AAAA record from your DNS.

Name:   duradera.co
A    Address: 99.124.226.90
AAAA Address: 2600:1700:e03:740f:ad15:a92a:4887:3904

curl -I4 -m8 https://duradera.co
HTTP/1.1 200 OK
Server: Apache/2.4.29 (Ubuntu)

curl -I6 -m8 https://duradera.co
curl: (28) Failed to connect to duradera.co port 443 after 4002 ms: Connection timed out

Also see Let's Debug test site (link here)

6 Likes
4

3)My son is rich now and does not need his old man. Has "professional" web service now, as opposed to amateur?! lol
1 My bad, it was late at night and I was relying on google and Stack-whatever
2. will RTMF now

1 Like
5

Describe "your DNS settings." Since stock Chrome in any form can access this site we think it is functional. I have a dnscrypt server running through PIA on my local network. My son's are probably provided by:
Domain:

duradera.co

Registrar:

IONOS SE

Registered On:

2022-05-16

Expires On:

2023-05-16

Updated On:

2022-05-21

Status:

clientTransferProhibited

Name Servers:

ns1071.ui-dns.org
ns1069.ui-dns.com
ns1028.ui-dns.de
ns1081.ui-dns.biz

6

It's where ever you set your A and AAAA record values. "stock Chrome" has nothing to do with it. These indicate the IP address a client should use for each of these comms protocols to your server. They should work if a client (chrome or otherwise) wants, or needs, to use one or the other.

It's important to Let's Encrypt because the LE Servers will favor IPv6 if you have an AAAA record in your DNS (visual pic of your DNS here). As noted, http requests using your AAAA address do not reach your domain.

You can check your public IP addresses with various tools. One is:

curl -4 ifconfig.io
curl -6 ifconfig.io

You might not get a response for the -6 (IPv6) if it is not working.

6 Likes
7

I see name coverage overlaps and can understand why the first cert is inadequate.
The last cert seems to cover all the names and could be used as such.

Before deleting a cert, you should ensure that nothing is still using it.
Afterwhich, I would delete the first two certs.

5 Likes
8

~ $ curl -6 ifconfig.io
2600:1700:e03:740f:48be:1b45:9c81:8a96

~ $ curl -4 ifconfig.io
99.124.226.90

Remember my son has moved to another web service. They probably haven't updated the nameservers yet. I want to remove the local copy of his site from my computer and not mess up my certificates any further than I have already. I have no access to the DNS records for duradera.co. plgroves.stream is just for me to check my bunny cam at home. I'm not worried about ipv6 for a virtualhost that is for my pleasure only. In the future I will follow you advice regarding AAAA records et. al.
Thank you for pointing me to the correct resources. Google and Stack-whatever have their limits and Impatiences always has a price.

1 Like
9

Which name(s) do you want to keep?
Show us:
certbot certificates

5 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.