Deleting old domain/certificate skipping self-signed?

What is it that can happen if you skip the steps for making self-signed certificates and just do the "certbot delete --cert-name example.com"?

Or...to ask differently; if you use the built-in webserver the command in the doc will fail since you dont have any apache/nginx or httpd in /etc, The command referenced in the doc is:

sudo bash -c 'grep -R live/example.com /etc/{nginx,httpd,apache2}'

Ref: User Guide — Certbot 1.19.0.dev0 documentation

So; on my system I instead did a:

grep -rnw '/etc' -e 'example.com'
find / -name "example.com"

And found it once in my "add-domain.sh" script (and removed it)

So...would it be safe now for me to do a simple

"certbot delete --cert-name example.com"

Or could there be other places I should look?

Usually, one knows which services are using a TLS certificate. Although the certbot docs don't really say it, I think you should see those commands as examples. It should make that more clear I think. For example, the text includes "Postfix", the grep command doesn't mention it at all.. Not very consistent.

But I think your command looks quite thorough, so you should be good to go I believe.

1 Like

Thanks @Osiris - however when I try to renew the certificates it gets annoyed that I'm trying to renew a domain which no longer has any DNS record, which I can understand since its no longer active/registered. But when I try to delete the domain with command discussed earlier; certbot says:

Are you sure you want to delete the above certificate(s)?


(Y)es/(N)o: y
No certificate found with name example.com (expected /etc/letsencrypt/renewal/example.com.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

....so...not sure how to proceed....

I guess I could reregister the domain.... :smiley: ..but not really what I want.

1 Like

It sounds like the certificate name is incorrect or not recognised by certbot for some reason.

Could you please show the output of the command:

certbot certificates

?

1 Like

That command shows MANY domains...including the one I am trying to delete.

(edited out the domains)

RENEW:

root@certbot:/etc/letsencrypt# ./cert_renew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log


edited out


Renewing an existing certificate for domain and 55 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: domain
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this domain

Domain: domain
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate 0001 with error: Some challenges have failed.


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/0001/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@certbot:/etc/letsencrypt#

CERTBOT CERTIFICATES

root@certbot:/etc/letsencrypt/renewal# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: 0001
Serial Number: 4b*****************************64
Key Type: RSA
Domains: many domains
Expiry Date: 2021-10-16 22:03:43+00:00 (VALID: 4 days)
Certificate Path: /etc/letsencrypt/live/0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/0001/privkey.pem


DELETE

root@certbot:/etc/letsencrypt# certbot delete --cert-name domain
Saving debug log to /var/log/letsencrypt/letsencrypt.log


The following certificate(s) are selected for deletion:

  • domain

Are you sure you want to delete the above certificate(s)?


(Y)es/(N)o: y
No certificate found with name domain (expected /etc/letsencrypt/renewal/domain.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@certbot:/etc/letsencrypt#

That's possible, yes. :slight_smile:

Did you use that exact name in your certbot delete command? Or wait a minute..

Do you want to remove just a hostname from a certificate or do you want to remove the entire certificate? Because the latter is easy, the former is not I'm afraid.

Certbot lacks an easy way to modify the contents of removing or adding one or more hostnames from an existing certificate.

Usually, one would try to issue the (almost) exact same certificate as there already is, but now without a certain hostname or adding a certain hostname. This is however of course very cumbersome, as one would need to remember the exact same commands used before..

However! If you tried to renew and everything went smoothly except for the hostname(s) you want removed, you could use the following command in combination with certbot renew:

--allow-subset-of-names

That option would "ignore" all hostnames not validating properly and would issue a certificate for all the other hostnames. But not the failed hostnames obviously. One would need to make absolutely sure only the hostnames you'd want to remove fail, otherwise the option would remove hostnames you don't want to have removed too.

1 Like

sorry @Osiris - a bit editing from me...it should all be there now

I really dont care if the domain stays or goes....or if the certificate stays or goes .... :smiley:

What I do want is to renew ALL the other domains which is active and will "run out in a few days"

Unfortunately the above command doesn't work, as there is no such certificate in existance: the --cert-name requires a, well.. Certificate name as value and not a hostname.

Please see my expanded reply above with two solutions to this issue.

1 Like

Thanks again @Osiris !

I would think the --allow-subset-of-names is something I'd like to try, but is there a way for me to check if all the other domains are ok? If you scroll up I edited in the renewal command (and the output), the script simply does:

root@certbot:/etc/letsencrypt# cat cert_renew.sh
#!/bin/sh
/usr/bin/certbot renew
root@certbot:/etc/letsencrypt#

1 Like

There are only two domains failing from your renew attempt:

Those two domain names would be removed from the certificate when using --allow-subset-of-names.

So all other hostnames have either succeeded or have a valid cached validation.. So those should work if you try to renew now.

You can just run /usr/bin/certbot renew and add the --allow-subset-of-names option to the command line.

Note that you should not use that option in a script or automated in any way, as it would remove hostnames if the validation would fail for some reason. Only use the option manually after you've verified all other hostnames have validated successfully, like we have done now :slight_smile:

2 Likes

Thanks again @Osiris !!

(edited out domainnames)

root@certbot:/etc/letsencrypt# certbot renew --allow-subset-of-names
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/0001.conf


Renewing an existing certificate for domain and 55 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: domain
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for domain - check that a DNS record exists for this domain

Domain: domain
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for domain - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Congratulations, all renewals succeeded:
/etc/letsencrypt/live/0001/fullchain.pem (success)


Thank you very much for your help!

2 Likes

Can I ask you to remove the domains
domain1_redacted
domain2_redacted
domain3_redacted
from your posts?

Thanks again for you excellent help! :slight_smile:

2 Likes

Should be gone now :slight_smile:

1 Like

Hello @h3ctic,

I've redacted the domains in your post.

@h3ctic and @Osiris I've also hidden the posts revisions so regular users can't view them.

Cheers,
sahsanu

2 Likes