Deleting a certificate from domain on Ubuntu / Apache

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hanningtonlogs.co.uk

I ran this command: sudo certbot renew --dry-run

It produced this output: Failed to renew certificate hanningtonlogs.co.uk with error: Some challenges have failed.
The following simulated renewals succeeded: <...3 other domains...>

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: AWS (EC2 instance)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.31.0

I have several domains on a virtual host. I think the domains all have their own certificate but I am not quite sure about that as I believe domains can share a certificate. One of the domains has now expired.

I wanted to renew the certificates for the other domains but when I run sudo certbot renew --dry-run I get the following "Failed to renew certificate hanningtonlogs.co.uk with error: Some challenges have failed. The following simulated renewals succeeded: <3 domains>"

I have run a2dissite hanningtonlogs.co.uk which has removed the hanningtonlogs.co.uk.conf link from /etc/apache2/sites-enabled but it has not removed the hanningtonlogs.co.uk-le-ssl.conf link from that directory.

I do not know whether to just go ahead with the certbot renew command or to first delete the hanningtonlogs.co.uk-le-ssl.conf link first or perhaps afterwards.

Some help on what I should do next to renew the certificates on the other domains would be great.

Edit: I have just found the output from a previous occasion when I ran sudo certbot delete and that time I did continue and choose to delete hanningtonlogs.co.uk. That resulted in the following warning:

The following certificate(s) are selected for deletion:

WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See User Guide — Certbot 1.31.0 documentation for information on
deleting certificates safely.

Are you sure you want to delete the above certificate(s)?


(Y)es/(N)o:

I chose No at this stage.

What you probably want to do, since the expired domain is the name of the existing cert, is to create a new cert with just the other three domain names. Once that's created, and you're sure your Apache configuration is using the new cert, you can delete the old one with certbot delete --cert-name hanningtonlogs.co.uk.

6 Likes

@danb35 thanks. I have just added an edit to the end of the question but that might not alter your advice. Should I run sudo certbot --apache and then certbot delete --cert-name hanningtonlogs.co.uk?

1 Like

I think you can just use this option if you are certain the only domain name to fail is the one you've obsoleted

--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)

https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options

6 Likes

That's what I'd do, I think.

This would likely work, but then there's a cert with a name that doesn't reflect any domain on the cert. That seems likely to be confusing in the long term.

7 Likes

Please show:
ls -l /etc/apache2/sites-enabled/

6 Likes
ubuntu@ip-172-31-32-80:~$ ls -la /etc/apache2/sites-enabled/
total 16
drwxr-xr-x 2 root root 4096 Oct  5 22:39 .
drwxr-xr-x 8 root root 4096 Oct  6 03:34 ..
lrwxrwxrwx 1 root root   52 Jul 25 18:38 bgrgolf.com-le-ssl.conf -> /etc/apache2/sites-available/bgrgolf.com-le-ssl.conf
lrwxrwxrwx 1 root root   35 Jul 25 18:35 bgrgolf.com.conf -> ../sites-available/bgrgolf.com.conf
lrwxrwxrwx 1 root root   61 Jul 25 15:56 hanningtonlogs.co.uk-le-ssl.conf -> /etc/apache2/sites-available/hanningtonlogs.co.uk-le-ssl.conf
lrwxrwxrwx 1 root root   60 Aug 30 18:22 learntospell.org.uk-le-ssl.conf -> /etc/apache2/sites-available/learntospell.org.uk-le-ssl.conf
lrwxrwxrwx 1 root root   43 Aug 30 18:11 learntospell.org.uk.conf -> ../sites-available/learntospell.org.uk.conf
lrwxrwxrwx 1 root root   59 Aug 30 20:11 stevespages.org.uk-le-ssl.conf -> /etc/apache2/sites-available/stevespages.org.uk-le-ssl.conf
lrwxrwxrwx 1 root root   42 Aug 30 20:06 stevespages.org.uk.conf -> ../sites-available/stevespages.org.uk.conf
lrwxrwxrwx 1 root root   54 Jul 25 15:56 wcvpnamer.org-le-ssl.conf -> /etc/apache2/sites-available/wcvpnamer.org-le-ssl.conf
lrwxrwxrwx 1 root root   37 Jul 25 14:57 wcvpnamer.org.conf -> ../sites-available/wcvpnamer.org.conf
ubuntu@ip-172-31-32-80:~$

You need to run a2dissite hanningtonlogs.co.uk-le-ssl also. a2ensite and a2dissite operate on a single conf file not a general domain name.

6 Likes

I have now run a2dissite hanningtonlogs.co.uk-le-ssl and verified that the .conf file associated with that has now disappeared from /etc/apache2/sites-enabled/.

In the warning I got previously (see the edit in my question) from running certbot delete and choosing hanningtonlogs.co.uk, it sais:

... ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).

Do you think that running a2dissite on both hanningtonlogs.co.uk and hanningtonlogs.co.uk-le-ssl so that neither are now in the sites-enabled directory is what the warning means by enuring the certificate is not being used by ... server software?

The warning applies to anything/everything that is using that cert [certs are not just for websites].
But only you would know where you have used that cert.
If only within that (-le-ssl) config file, then you should be fine.
Note: There is no reason to disable an HTTP vhost to abide by this warning, as the warning only applies to where the cert is being used.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.