Domain dirs have -0001 suffix and don't renew

My domain is:
(Changed by my host without warning from a similar domain with a different suffix)

I ran this command: certbot certonly -d

It produced this output: - Congratulations! Your certificate and chain have been saved at:
(I opted for the standalone option as this will not be used as a webroot)

My web server is (include version): apache

The operating system my web server runs on is (include version): Debian

My hosting provider, if applicable, is: Linux 4.19.0

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Now at last, the problem!

I created the domain config based on an old domain with a similar prefix. I changed every ref to the old domain name to the new one.

When I ran certbot certonly it created the dir under live with the suffix -0001. None of my other domains have this suffix.

This is preventing renewal with the error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/", line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/", line 463, in init
File "/usr/lib/python3/dist-packages/certbot/", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ is broken. Skipping.

I don't know if I created files rather than symlinks by copying something over, but I don't think I did.

I've tried moving away everything relating to the old and new grepnik* domains and rerunning cerbot certonly as listed above. But I still get the domain dirs created with the suffix -0001.

I'm very unfamiliar with how letsencrypt works and if you want to point me to simple instructions I'm happy to try again and report back.

AHA. I copied the conf file from the old domain and used the old account value and Apache as authenticator!

I think I just need advice on how to remove everything to do with the old grepnik domain and the new misconfigured grepnik domain, and start again. As I say, a clear instruction page may be enough for the cert creation/installation side.

Start by understanding why/when such -0001 suffixes are created.
That means certbot is trying to create a cert with the same name as an existing cert; But this new cert does not cover the exact same set of names, so it won't be used as a replacement for it. Thus, it will need two certs, which can't both have the exact same name.

To better visualize what I've said, let's look at the output of:
certbot certificates

1 Like

Also note that Certbot 0.31.0 is quite old, ancient maybe even. And that the behaviour and detection of expandable certificates was improved very much somewhere in the development of Certbot, maybe after 0.31.0.


Thanks both.

What I did. (well, short version after much blundering and false starts)
certbot delete --cert-name

rm /etc/letsencrypt/renewal/

edited /etc/apache2/sites-available/000-default-le-ssl.conf and removed the lines:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Ran certbot -d

This has created the new domain cert without the -0001 suffix.

The web page seems to be secure and verified. I'll post again if there are problems with using the cert for e-mail (the only thing I use it for).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.