Different types of certificates mixed up

pikset · September 11, 2023, 8:44am

My domain is: "kenyoh.com"

I ran this command: "sudo certbot certificates"

It produced this output:

Found the following certs:
Certificate Name: kenyoh.com
Serial Number: 335e4859fcc9e4912be2be127bf5fe68267
Key Type: RSA
Domains: kenyoh.com paritsu.kenyoh.com
Expiry Date: 2023-10-05 06:58:46+00:00 (VALID: 23 days)
Certificate Path: /etc/letsencrypt/live/kenyoh.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kenyoh.com/privkey.pem
Certificate Name: paritsu.kenyoh.com
Serial Number: 39a2fd9eb839afd8aefa3b08084e5477d98
Key Type: ECDSA
Domains: paritsu.kenyoh.com
Expiry Date: 2023-12-05 19:20:11+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/paritsu.kenyoh.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/paritsu.kenyoh.com/privkey.pem

My web server is (include version): "Apache/2.4.57 (Debian)"

The operating system my web server runs on is (include version):
Rpi running debian:

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Hi

Cloud server running at "paritsu.kenyoh.com". Certbot indicating two different certificates. Don't know how this happened. One of them has been renewed some days ago, the second one not beeing renewed for unknown reason. Can one of them be removed without being feared to miss out access to the site and if yes, how?

Some guidance would be highly appreciated.

thx

9peppe · September 11, 2023, 1:14pm

Do you need a certificate for kenyoh.com?

Because the second certificate only covers paritsu.kenyoh.com.

If you don't need a certificate for the "apex" domain, then you can delete the certificate expiring in 23 days. Or you can leave it alone, it's not renewing and should not be a problem. If you need a certificate for kenyoh.com, though, you should get one.

MikeMcQ · September 11, 2023, 4:25pm

Your kenyoh.com domain no longer has an A record in the DNS. No one on the public internet can find you by that name. This is probably also the reason your cert with both names failed to renew.

Your Apache server is using that older cert with both names. So, do not delete that cert before deciding how to proceed.

If you don't need to use the kenyoh.com name anymore you could change Apache to use the newer cert. After Apache is switched you could then delete the older one.

But, you have a long history of using both names so it seems you should fix the problem with kenyoh.com. Is that what you want to do? If so, you need to put the A record back in the DNS and then try

sudo certbot renew --cert-name kenyoh.com --dry-run

If that works remove --dry-run to get a production cert. If that fails show us the error message.

pikset · September 11, 2023, 5:28pm

thx @9peppe
thx @MikeMcQ

I appreciate.

I got back the A record in the DNS. Don't know how it disapeared.

Now getting:

Found the following certs:
  Certificate Name: kenyoh.com
    Serial Number: 32a92436820846190d01522a6c7e90ca3af
    Key Type: RSA
    Domains: kenyoh.com paritsu.kenyoh.com
    Expiry Date: 2023-12-10 15:53:23+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/kenyoh.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kenyoh.com/privkey.pem
  Certificate Name: paritsu.kenyoh.com
    Serial Number: 39a2fd9eb839afd8aefa3b08084e5477d98
    Key Type: ECDSA
    Domains: paritsu.kenyoh.com
    Expiry Date: 2023-12-05 19:20:11+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/paritsu.kenyoh.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/paritsu.kenyoh.com/privkey.pem

However, i don't know if i really need both. My cloud is running on "paritsu.kenyoh.com" but my registrar registered "kenyoh.com". I'm not sure if "kenyoh.com" is forwarded to "paritsu.kenyoh.com" by Apache.

But actually because the "Type RSA" certificate is working for both domains, the "Type ECDSA" certificate could be deleted, right?

As being an absolutely noob with this stuff, i'm feared to screw things up to being unusable but would however like to clean up a little bit this setting.

thx for guidance

9peppe · September 11, 2023, 5:45pm

Don't delete it.

Ideally, you'd have both RSA and ECDSA with both names. Having just one is fine.

MikeMcQ · September 11, 2023, 5:57pm

Yes, I think so but only you know for sure. Your Apache looks to only be using the RSA cert with both names. The ECDSA cert only has the one domain name so unless you are using it for some other service it is not active and could be deleted like:

sudo certbot delete --cert-name paritsu.kenyoh.com

Yes, your Apache is redirecting to paritsu

curl -I  kenyoh.com
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.57 (Debian)
Location: https://kenyoh.com/

curl -I https://kenyoh.com
HTTP/2 301
location: https://paritsu.kenyoh.com/
server: Apache/2.4.57 (Debian)

pikset · September 12, 2023, 10:14am

thx for advice @9peppe and @MikeMcQ

I finally removed the certificate named "paritsu.kenyoh.com"

Actually all working as expected.

system · October 12, 2023, 10:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.