This is a generic question about removing a second cert.
History:
I created a cert with certbot, and let it expire purely by accident.
I then created a new cert. At that point, I then had xyz.com cert and xyz.com-0001 cert.
At some point I issued a renewal command, and apparently both certs got renewed with legitimate expiration dates.
I've gone through several renewals of both, but I don't need the duplicate, nor do i think it makes any sense to continue renewing it when it is nothing more than a duplicate of the first one.
1: Should I delete the xyz.com-0001 certificate?
2: How do I properly delete the xyz.com-0001 certificate and all its subdirectories/data/keys,...?
Well, normally a -0001 profile is not created unless it is materially different than the original. So, it would be helpful to understand what is different.
And @danb35 beat me to the part about delete. The essential thing is to identify each place your cert(s) are used and which of those files (the original or the -0001 name).
Please note that older versions of Certbot had poor detection of existing certificates and would lead to duplicate certificate names with -0001 and -0002 et c. way more often than more recent versions of Certbot.
If you're not running Certbot 2.11.0, please update.
certbot --version -> 1.21.0 (I will update. I thought the system apt update/upgrade would have handled this, but I will manually upgrade certbot after posting this reply.)
certbot certificates: Key Type is the same for both,, domains the same, expiry dates slightly different by about an hour, and of course the paths are slightly different. I have the cert info in a .env file, which is ready by my Rust server (actix web) code. No reverse proxy involved, so this should be clean and the only thing referencing the certs. My plan is to update the .env file, delete the -0001 certs after I back up the entire tree, and reboot. Thanks for all the help and input.
Well let me ask you both a bit more: I have confirmed that I have two installations: 1.21.0 via apt, and 2.11.0 via snap. If I simply run the command certbot --version, the return is "1.21.0", so I know the apt version is the binary being used. I'm ready to uninstall the apt version, and only use the snap 2.11.0, but I have a few additional concerns. Let's assume I've already purged certbot from apt. So now my only install is the snap 2.11.0 version. Note that I have all the systemd services stopped/disabled (snap.certbot.renewal.timer, snap.certbot.renewal.service, certbot.timer) and I do not want to reignite them. Currently, if I want to renew, I manually run this command: 'sudo certbot certonly --manual --preferred-challenges dns -d domain.com, *.domain.com --cert-name domain.com --key-type ecdsa. That command figures out that I have an existing cert for domain.com with an existing ecdsa key, and it renews the cert for me, informing of my next date with fear three months out. If I now want to do that via the snap 2.11.0 version, I have no idea what the command is to launch the snap certbot, but I'm thinking this will work: sudo suthensnap run certbot certonly --manual ...same command string as above` If I can get that to be my answer, you can bet I will cron job this and not have to deal with it any longer. I think this will work. I'd appreciate any additional thoughts you guys might care to share about it.
Well, once you've completed the steps on that site I linked it would just be
sudo certbot certonly ...
just as before
Well, a cronjob won't help with --manual regardless of apt or snap.
Typically a certbot renew is run by cron or systemd timer which views and renews any cert needing it (from the Certbot profiles in .../renewal/ folder)
But, since --manual requires your manual updates to your DNS it can't be automated.
Selecting a different DNS provider that supports an API is the best way forward for automation. Or, run your own acme-dns server like this:
I am making progress, thanks to the help from you guys on this board. Following the wildcard steps from the certbot builder page, I have made a few mods to my system: 1) created the recommended symlink to the snap executable, 2) formally installed the certbot-dns-linode plugin within snap, and 3)executed a certbot renew --dry-run command. One cert failed, and the other succeeded. That led me to the /etc/letsencrypt/renewal dir to inspect the .conf files. To my delight I discovered the failing cert to be using "pref_challs = dns-01" and with "authenticator = manual" flag. After modifying those to match the other, successfully-renewed cert, this one passed the dry-run as well. So, thank you all. I think I finally cleaned up the mess, and now have a smooth-running renewal. "Congratulations, all simulated renewals succeeded"