Detritus from old config

lewisl · September 14, 2018, 10:17pm

No emergency on this. The right things work. This is cleanup of detritus that shouldn’t be there.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: a-view.org

I ran this command: ls -laR and certbot certificates

It produced this output: see below with comments

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 16.04 its

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

OK, guys. I installed ghost blogging platform using their ghost-cli in two different ways. First, I had only one blog at this hosted VM. Then, I reconfigured to have 2 different blogs on the same VM. Ghost doesn’t document this particularly well, but once you look carefully at what the CLI does to setup Ghost and nginx, it’s reasonably obvious. I had to cleanup and start over on the blogs at /var/www and that all works-did it a while ago. Each time, of the 2 setups, I let Ghost’s script do the setup of letsencrypt.

I think I have a remnant of
1st pass: setup a-view.org as only Ghost blog with Letsencrypt and incorrectly create a blog with domain lnotes.a-view.org

2nd pass:
And I have a valid, working, up-to-date setup for a cert named a-view.org that represents 3 urls: a-view.org, www.a-view.org, lnotes.a-view.org. This works: Ghost is happy, nginx is happy, letsencrypt is happy.

Here is the cert for the result of the 2nd pass:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: a-view.org
    Domains: a-view.org lnotes.a-view.org www.a-view.org
    Expiry Date: 2018-12-12 22:56:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/a-view.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/a-view.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Here is the messy part. Below is the recursive listing, ls -laR, for /etc/letsencrypt. To help filter the noise a little bit, the good stuff is at /etc/letsencrypt/live/a-view.org and /etc/letsencrypt/archive/a-view.org, and /etc/letsencrypt/renewal.

I believe that the domains at the top level of /letsencrypt contain actual cert files (no live symlinked to archive) are bogus and contain certs that aren’t used at all–no nginx server block refers to them. These are /etc/letsencrypt/a-view.org and /etc/letsencrypt/lnotes.a-view.org. I believe I can delete these directories and the backup directory counterparts for each.

So, now–what the heck is all the other stuff? What do I need to keep? Is it in the right place? What can I remove?

Here is the directory listing:

ls -laR /etc/letsencrypt/
/etc/letsencrypt/:
total 252
drwxr-xr-x 14 root root   4096 Sep 14 15:14 .
drwxr-xr-x 97 root root   4096 Sep  2 01:11 ..
-rw-r--r--  1 root root    221 Sep 14 00:12 account.conf
drwx------  3 root root   4096 Sep  1 16:39 accounts
-rwxr-xr-x  1 root root 167870 Jun  1 05:17 acme.sh
-rw-r--r--  1 root root     82 Jun  1 05:17 acme.sh.env
drwx------  3 root root   4096 Sep  1 16:41 archive
drwxr-xr-x  3 root root   4096 Jun  1 05:17 a-view.org
drwxr-xr-x  3 root root   4096 Jun  1 05:17 ca
-rw-r--r--  1 root root    121 Jul 21 18:04 cli.ini
drwxr-xr-x  2 root root   4096 Sep 13 23:56 csr
drwxr-xr-x  2 root root   4096 Jun  1 05:17 deploy
drwxr-xr-x  2 root root   4096 Jun  1 05:17 dnsapi
-rw-r--r--  1 root root    481 Sep 14 00:12 http.header
drwx------  2 root root   4096 Sep 13 23:56 keys
drwx------  3 root root   4096 Sep  1 16:41 live
drwxr-xr-x  3 root root   4096 Aug 11 00:12 lnotes.a-view.org
-rw-r--r--  1 root root   1143 Sep  1 16:38 options-ssl-nginx.conf
drwxr-xr-x  2 root root   4096 Sep 13 23:56 renewal
drwxr-xr-x  5 root root   4096 Sep  1 16:27 renewal-hooks
-rw-r--r--  1 root root    424 Sep  1 16:38 ssl-dhparams.pem
-rw-r--r--  1 root root     64 Sep  1 16:38 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--  1 root root     64 Sep  1 16:38 .updated-ssl-dhparams-pem-digest.txt

/etc/letsencrypt/accounts:
total 12
drwx------  3 root root 4096 Sep  1 16:39 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
drwx------  3 root root 4096 Sep  1 16:39 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Sep  1 16:39 .
drwx------ 3 root root 4096 Sep  1 16:39 ..
drwx------ 3 root root 4096 Sep  1 16:39 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Sep  1 16:39 .
drwx------ 3 root root 4096 Sep  1 16:39 ..
drwx------ 2 root root 4096 Sep  1 16:39 caa2787c9669139339ece18a72952cf9

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/caa2787c9669139339ece18a72952cf9:
total 20
drwx------ 2 root root 4096 Sep  1 16:39 .
drwx------ 3 root root 4096 Sep  1 16:39 ..
-rw-r--r-- 1 root root   71 Sep  1 16:39 meta.json
-r-------- 1 root root 1632 Sep  1 16:39 private_key.json
-rw-r--r-- 1 root root   78 Sep  1 16:39 regr.json

/etc/letsencrypt/archive:
total 12
drwx------  3 root root 4096 Sep  1 16:41 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
drwxr-xr-x  2 root root 4096 Sep 13 23:56 a-view.org

/etc/letsencrypt/archive/a-view.org:
total 40
drwxr-xr-x 2 root root 4096 Sep 13 23:56 .
drwx------ 3 root root 4096 Sep  1 16:41 ..
-rw-r--r-- 1 root root 2163 Sep  1 16:41 cert1.pem
-rw-r--r-- 1 root root 2187 Sep 13 23:56 cert2.pem
-rw-r--r-- 1 root root 1647 Sep  1 16:41 chain1.pem
-rw-r--r-- 1 root root 1647 Sep 13 23:56 chain2.pem
-rw-r--r-- 1 root root 3810 Sep  1 16:41 fullchain1.pem
-rw-r--r-- 1 root root 3834 Sep 13 23:56 fullchain2.pem
-rw-r--r-- 1 root root 1704 Sep  1 16:41 privkey1.pem
-rw-r--r-- 1 root root 1708 Sep 13 23:56 privkey2.pem

/etc/letsencrypt/a-view.org:
total 40
drwxr-xr-x  3 root root 4096 Jun  1 05:17 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
-rw-r--r--  1 root root 2139 Jun  1 05:17 a-view.org.cer
-rw-r--r--  1 root root  643 Sep 14 00:12 a-view.org.conf
-rw-r--r--  1 root root  964 Sep 14 00:12 a-view.org.csr
-rw-r--r--  1 root root  205 Sep 14 00:12 a-view.org.csr.conf
-rw-r--r--  1 root root 1679 Jun  1 05:17 a-view.org.key
drwxr-xr-x  2 root root 4096 Jun  1 05:17 backup
-rw-r--r--  1 root root 1647 Jun  1 05:17 ca.cer
-rw-r--r--  1 root root 3786 Jun  1 05:17 fullchain.cer

/etc/letsencrypt/a-view.org/backup:
total 8
drwxr-xr-x 2 root root 4096 Jun  1 05:17 .
drwxr-xr-x 3 root root 4096 Jun  1 05:17 ..

/etc/letsencrypt/ca:
total 12
drwxr-xr-x  3 root root 4096 Jun  1 05:17 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
drwxr-xr-x  2 root root 4096 Jun  1 05:17 acme-v01.api.letsencrypt.org

/etc/letsencrypt/ca/acme-v01.api.letsencrypt.org:
total 20
drwxr-xr-x 2 root root 4096 Jun  1 05:17 .
drwxr-xr-x 3 root root 4096 Jun  1 05:17 ..
-rw-r--r-- 1 root root  613 Jun  1 05:17 account.json
-rw------- 1 root root 1675 Jun  1 05:17 account.key
-rw-r--r-- 1 root root  128 Jun  1 05:17 ca.conf

/etc/letsencrypt/csr:
total 16
drwxr-xr-x  2 root root 4096 Sep 13 23:56 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
-rw-r--r--  1 root root  944 Sep  1 16:41 0000_csr-certbot.pem
-rw-r--r--  1 root root  964 Sep 13 23:56 0001_csr-certbot.pem

/etc/letsencrypt/deploy:
total 96
drwxr-xr-x  2 root root 4096 Jun  1 05:17 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
-rw-r--r--  1 root root  506 Jun  1 05:17 apache.sh
-rw-r--r--  1 root root 1805 Jun  1 05:17 cpanel_uapi.sh
-rw-r--r--  1 root root  478 Jun  1 05:17 dovecot.sh
-rw-r--r--  1 root root 3202 Jun  1 05:17 exim4.sh
-rw-r--r--  1 root root 3855 Jun  1 05:17 fritzbox.sh
-rw-r--r--  1 root root  509 Jun  1 05:17 haproxy.sh
-rw-r--r--  1 root root  663 Jun  1 05:17 keychain.sh
-rwxr-xr-x  1 root root 2874 Jun  1 05:17 kong.sh
-rwxr-xr-x  1 root root  586 Jun  1 05:17 myapi.sh
-rw-r--r--  1 root root  506 Jun  1 05:17 mysqld.sh
-rw-r--r--  1 root root  503 Jun  1 05:17 nginx.sh
-rw-r--r--  1 root root  512 Jun  1 05:17 opensshd.sh
-rw-r--r--  1 root root  512 Jun  1 05:17 pureftpd.sh
-rw-r--r--  1 root root 9182 Jun  1 05:17 README.md
-rw-r--r--  1 root root 8078 Jun  1 05:17 ssh.sh
-rw-r--r--  1 root root 1364 Jun  1 05:17 strongswan.sh
-rw-r--r--  1 root root 2898 Jun  1 05:17 unifi.sh
-rw-r--r--  1 root root 1622 Jun  1 05:17 vault_cli.sh
-rw-r--r--  1 root root 3160 Jun  1 05:17 vsftpd.sh

/etc/letsencrypt/dnsapi:
total 316
drwxr-xr-x  2 root root  4096 Jun  1 05:17 .
drwxr-xr-x 14 root root  4096 Sep 14 15:14 ..
-rwxr-xr-x  1 root root  3458 Jun  1 05:17 dns_ad.sh
-rwxr-xr-x  1 root root  5094 Jun  1 05:17 dns_ali.sh
-rw-r--r--  1 root root  5985 Jun  1 05:17 dns_autodns.sh
-rwxr-xr-x  1 root root 10944 Jun  1 05:17 dns_aws.sh
-rw-r--r--  1 root root 12145 Jun  1 05:17 dns_azure.sh
-rwxr-xr-x  1 root root  5403 Jun  1 05:17 dns_cf.sh
-rwxr-xr-x  1 root root  5116 Jun  1 05:17 dns_cloudns.sh
-rwxr-xr-x  1 root root  4021 Jun  1 05:17 dns_cx.sh
-rw-r--r--  1 root root  9960 Jun  1 05:17 dns_cyon.sh
-rwxr-xr-x  1 root root  5638 Jun  1 05:17 dns_da.sh
-rwxr-xr-x  1 root root  7491 Jun  1 05:17 dns_dgon.sh
-rw-r--r--  1 root root  4805 Jun  1 05:17 dns_dnsimple.sh
-rwxr-xr-x  1 root root  3656 Jun  1 05:17 dns_do.sh
-rwxr-xr-x  1 root root  3817 Jun  1 05:17 dns_dp.sh
-rw-r--r--  1 root root  2180 Jun  1 05:17 dns_dreamhost.sh
-rwxr-xr-x  1 root root  3618 Jun  1 05:17 dns_duckdns.sh
-rw-r--r--  1 root root  7984 Jun  1 05:17 dns_dyn.sh
-rw-r--r--  1 root root  5105 Jun  1 05:17 dns_dynu.sh
-rwxr-xr-x  1 root root 11589 Jun  1 05:17 dns_freedns.sh
-rwxr-xr-x  1 root root  2909 Jun  1 05:17 dns_gandi_livedns.sh
-rwxr-xr-x  1 root root  4157 Jun  1 05:17 dns_gd.sh
-rwxr-xr-x  1 root root  5671 Jun  1 05:17 dns_he.sh
-rw-r--r--  1 root root  3325 Jun  1 05:17 dns_infoblox.sh
-rwxr-xr-x  1 root root  6861 Jun  1 05:17 dns_inwx.sh
-rwxr-xr-x  1 root root  6600 Jun  1 05:17 dns_ispconfig.sh
-rw-r--r--  1 root root  3376 Jun  1 05:17 dns_kinghost.sh
-rw-r--r--  1 root root  1985 Jun  1 05:17 dns_knot.sh
-rwxr-xr-x  1 root root  2190 Jun  1 05:17 dns_lexicon.sh
-rwxr-xr-x  1 root root  4697 Jun  1 05:17 dns_linode.sh
-rwxr-xr-x  1 root root  3978 Jun  1 05:17 dns_lua.sh
-rw-r--r--  1 root root  3918 Jun  1 05:17 dns_me.sh
-rwxr-xr-x  1 root root   937 Jun  1 05:17 dns_myapi.sh
-rwxr-xr-x  1 root root  4277 Jun  1 05:17 dns_namecom.sh
-rwxr-xr-x  1 root root  3629 Jun  1 05:17 dns_namesilo.sh
-rw-r--r--  1 root root  3928 Jun  1 05:17 dns_nsone.sh
-rwxr-xr-x  1 root root  1477 Jun  1 05:17 dns_nsupdate.sh
-rwxr-xr-x  1 root root  7780 Jun  1 05:17 dns_ovh.sh
-rwxr-xr-x  1 root root  3831 Jun  1 05:17 dns_pdns.sh
-rw-r--r--  1 root root  3706 Jun  1 05:17 dns_selectel.sh
-rwxr-xr-x  1 root root  4470 Jun  1 05:17 dns_servercow.sh
-rw-r--r--  1 root root  5225 Jun  1 05:17 dns_unoeuro.sh
-rwxr-xr-x  1 root root  3716 Jun  1 05:17 dns_vscale.sh
-rwxr-xr-x  1 root root  3264 Jun  1 05:17 dns_yandex.sh
-rw-r--r--  1 root root  3160 Jun  1 05:17 dns_zilore.sh
-rw-r--r--  1 root root  2124 Jun  1 05:17 dns_zonomi.sh
-rw-r--r--  1 root root 23497 Jun  1 05:17 README.md

/etc/letsencrypt/keys:
total 16
drwx------  2 root root 4096 Sep 13 23:56 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
-rw-------  1 root root 1704 Sep  1 16:41 0000_key-certbot.pem
-rw-------  1 root root 1708 Sep 13 23:56 0001_key-certbot.pem

/etc/letsencrypt/live:
total 12
drwx------  3 root root 4096 Sep  1 16:41 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
drwxr-xr-x  2 root root 4096 Sep 13 23:56 a-view.org

/etc/letsencrypt/live/a-view.org:
total 12
drwxr-xr-x 2 root root 4096 Sep 13 23:56 .
drwx------ 3 root root 4096 Sep  1 16:41 ..
lrwxrwxrwx 1 root root   34 Sep 13 23:56 cert.pem -> ../../archive/a-view.org/cert2.pem
lrwxrwxrwx 1 root root   35 Sep 13 23:56 chain.pem -> ../../archive/a-view.org/chain2.pem
lrwxrwxrwx 1 root root   39 Sep 13 23:56 fullchain.pem -> ../../archive/a-view.org/fullchain2.pem
lrwxrwxrwx 1 root root   37 Sep 13 23:56 privkey.pem -> ../../archive/a-view.org/privkey2.pem
-rw-r--r-- 1 root root  682 Sep  1 16:41 README

/etc/letsencrypt/lnotes.a-view.org:
total 40
drwxr-xr-x  3 root root 4096 Aug 11 00:12 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
drwxr-xr-x  2 root root 4096 Jun 12 17:12 backup
-rw-r--r--  1 root root 1647 Aug 11 00:12 ca.cer
-rw-r--r--  1 root root 3806 Aug 11 00:12 fullchain.cer
-rw-r--r--  1 root root 2159 Aug 11 00:12 lnotes.a-view.org.cer
-rw-r--r--  1 root root  657 Aug 11 00:12 lnotes.a-view.org.conf
-rw-r--r--  1 root root  985 Aug 11 00:12 lnotes.a-view.org.csr
-rw-r--r--  1 root root  212 Aug 11 00:12 lnotes.a-view.org.csr.conf
-rw-r--r--  1 root root 1679 Jun 12 17:12 lnotes.a-view.org.key

/etc/letsencrypt/lnotes.a-view.org/backup:
total 8
drwxr-xr-x 2 root root 4096 Jun 12 17:12 .
drwxr-xr-x 3 root root 4096 Aug 11 00:12 ..

/etc/letsencrypt/renewal:
total 12
drwxr-xr-x  2 root root 4096 Sep 13 23:56 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
-rw-r--r--  1 root root  507 Sep 13 23:56 a-view.org.conf

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x  5 root root 4096 Sep  1 16:27 .
drwxr-xr-x 14 root root 4096 Sep 14 15:14 ..
drwxr-xr-x  2 root root 4096 Sep  1 16:27 deploy
drwxr-xr-x  2 root root 4096 Sep  1 16:27 post
drwxr-xr-x  2 root root 4096 Sep  1 16:27 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 Sep  1 16:27 .
drwxr-xr-x 5 root root 4096 Sep  1 16:27 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 Sep  1 16:27 .
drwxr-xr-x 5 root root 4096 Sep  1 16:27 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 Sep  1 16:27 .
drwxr-xr-x 5 root root 4096 Sep  1 16:27 ..

jmorahan · September 14, 2018, 11:21pm

It looks like you somehow installed acme.sh into /etc/letsencrypt, so you have its files and directories mixed together with certbot’s.

account.conf, acme.sh, acme.sh.env, http.header, ca, deploy and dnsapi all come from acme.sh, and the directories named after domains at the top level of /etc/letsencrypt/ probably do too.

accounts, archive, cli.ini, csr, keys, live, options-ssl-nginx.conf, renewal, renewal-hooks and ssl-dhparams.pem all belong to certbot.

I don’t know what the other files are, sorry.

Note that acme.sh might also have set up a cron job, depending on how you installed it. If you’re no longer using it you might want to check root’s crontab -e and clean that up too.

rg305 · September 14, 2018, 11:23pm

I don't see a certificate nor a renewal file for:

so I think those files and folders are remnants of a previous cert.
if 'ningx -t' returns normal, after moving them to a holding folder, I would just delete them.

lewisl · September 15, 2018, 6:21pm

Perfect. This makes sense to me. I can verify the certbot files by comparing to another installation on a different server location.

lewisl · September 15, 2018, 6:29pm

That domain is included in the certificate named a-view.org.

lewisl · September 15, 2018, 7:02pm

Done.

I had to remap a file in /nginx/sites-available to the conf file for lnotes.a-view.org. This was a holdover of earlier incorrect setup of ghost to put 2 blogs at one URL.

All working.

Thanks again.

Closed.

system · October 15, 2018, 7:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.