Domain with active certs does not appear in /etc/letsencrypt/live

My domains are:,,,, etc. (17 in total)
I ran this command: sudo certbot --apache
My web server is: apache 2.4.18
The operating system my web server runs on is: Ubuntu 16.04 LTS
My certbot version is: 0.14.2

The problem

The command sudo certbot --apache says:

Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel):

So I selected all 17 domains that are currently live on my site.

Certbot went ahead a created a single certificate for all 17 domains, so when you visit the certificate created for “”, it says: “Common name (CN): www.larsvik,no”

Clearly, I’ve made a mess. I did not understand that this would produce a single certificate for all 17 domains (belonging to 10 different clients).

How do I clean up? Can I just ignore this certificate for the domains it is not supposed to cover, and generate the 9 other certificates for the 9 other clients - or is there some standard procedure to follow in order to clean up this?

There are 17 names on the cert. (
The first being ""
Is there a /etc/letsencrypt/live/ ?
If not, what is in /etc/letsencrypt/live/ ?

No, there is no “/etc/letsencrypt/live/”.
However, there is " /etc/letsencrypt/live/" (and it covers “”).

I now understand I’ve made a mess. I’ve updated the question to better explain the situation (I hope).

I need help cleaning up. My first impulse is to delete this certificate and start again, but I am afraid that just deleting the files may create inconsistencies that may make things even worse.

My third impulse [second impulse redacted] is to keep it for the site it is relevant for, but go ahead and generate 9 new certificates for the other 9 sites involved (so “” and “” keeps the certificate with “” as CN, but I create another for “casamargarita .no” / “”, and so on until I have 10 certificates in total for the 10 actual sites).

However, I am new at this, and would therefore appreciate advice on how to proceed without breaking anything.

Provided you have 10 individual vhost files (which if the 10 sites all show individual content, you probably do).
There should be no issue with moving towards individualized certs - one for each of the domains within each of the vhost files.
For your sanity:
backup all the vhost files and renew just the domains in one vhost file.
If all goes as planned, continue to process the remaining domains one vhost file at a time.
If anything goes awry, simple restore that vhost config and restart the web service.
But keep the broken config and post the contents here and what failed.

1 Like

You can replace this large certificate with one that only covers (probably the best course of actual to avoid confusion about where the certificates are stored on disk) via

sudo certbot certonly --cert-name -d -d --force-renewal

This should obtain a new certificate that covers only and, and effectively replace the current certificate with that one.

You can then run sudo certbot --apache 9 more times for each domain name that you want to cover with new, separate certificates. (You can specify the domains to cover with -d rather than interactively, if you prefer. Don’t forget to cover the forms both with and without a leading www.)

This might be nicer than deleting the old one (which can in principle be done with sudo certbot delete --cert-name, because if you deleted the old one you’d also have to change your Apache configuration that now refers to it.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.