My domain is worship.luo.ma and I am using certbot 1.10.0
In the directory /etc/letsencrypt/renewal I ran this command
ls -l worship.luo.ma*
and it gave me this output
-rw-r--r-- 1 root wheel 696 May 15 09:35 worship.luo.ma-0001.conf
-rw-r--r-- 1 root wheel 647 May 24 2020 worship.luo.ma.conf
This is worship.luo.ma-0001.conf:
# renew_before_expiry = 30 days
version = 1.10.0
archive_dir = /etc/letsencrypt/archive/worship.luo.ma-0001
cert = /etc/letsencrypt/live/worship.luo.ma-0001/cert.pem
privkey = /etc/letsencrypt/live/worship.luo.ma-0001/privkey.pem
chain = /etc/letsencrypt/live/worship.luo.ma-0001/chain.pem
fullchain = /etc/letsencrypt/live/worship.luo.ma-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = f2832ae8a8a7757befecf1d75fec7bf6
authenticator = webroot
installer = apache
webroot_path = /Library/Server/Web/Data/Sites/worship.luo.ma,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
worship.luo.ma = /Library/Server/Web/Data/Sites/worship.luo.ma
This is worship.luo.ma.conf:
# renew_before_expiry = 30 days
version = 1.4.0
archive_dir = /etc/letsencrypt/archive/worship.luo.ma
cert = /etc/letsencrypt/live/worship.luo.ma/cert.pem
privkey = /etc/letsencrypt/live/worship.luo.ma/privkey.pem
chain = /etc/letsencrypt/live/worship.luo.ma/chain.pem
fullchain = /etc/letsencrypt/live/worship.luo.ma/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = f2832ae8a8a7757befecf1d75fec7bf6
authenticator = webroot
webroot_path = /Volumes/Media/Dropbox/Sites/worship.luo.ma,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
worship.luo.ma = /Volumes/Media/Dropbox/Sites/worship.luo.ma
The information in worship.luo.ma.conf is outdated and incorrect and worship.luo.ma-0001.conf is correct.
Can I just remove worship.luo.ma.conf and rename worship.luo.ma-0001.conf to worship.luo.ma-0001.conf?
I also have two other files in that renewal folder
-rw-r--r-- 1 root wheel 687 May 24 2020 cumberland12.luo.ma.conf
-rw-r--r-- 1 root wheel 711 May 24 2020 dailylectionary.luo.ma.conf
that have been expired for a long time. Do I just remove them?
Thank you for your help. This stuff really confuses me and I really don't want to screw it up.
Update
When I try to do sudo certbot certificates, I get these 3 errors (I've added a blank line between each one for readability:
Renewal configuration file /etc/letsencrypt/renewal/cumberland12.luo.ma.conf produced an unexpected error: expected /etc/letsencrypt/live/cumberland12.luo.ma/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/dailylectionary.luo.ma.conf produced an unexpected error: expected /etc/letsencrypt/live/dailylectionary.luo.ma/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/worship.luo.ma.conf produced an unexpected error: expected /etc/letsencrypt/live/worship.luo.ma/cert.pem to be a symlink. Skipping.
A special request was made for me to help you out with this. You are right to be wary of making manual changes to anything under /etc/letsencrypt. I like to be thorough when fixing these things.
To get started cleaning this up, what are the complete outputs of:
sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
Please put 3 backticks above and below each output, like this:
Thank you! I thought everything was running smoothly, but clearly I had missed some things.
Thank you. I appreciate the extra attention, and I like to be thorough as well. I also know enough to know when I don't know enough and am grateful when others are willing to take the time to help.
Honestly, TJ, I was expecting so much worse. It looks to me like you have a fairly solid grasp on what you're doing, @tjluoma, so I feel confident in giving you the "fix" in brief.
Important: Use sudo for all commands related to the following steps.
Move all of the directories in /etc/letsencrypt/not-live back into /etc/letsencrypt/live whence they came.
For any of the following certificates that you actually want to delete:
cumberland12.luo.ma
dailylectionary.luo.ma
worship.luo.ma
Run the following command:
sudo certbot delete --cert-name CERTNAME
where CERTNAME is the name of the certificate (i.e. the name of the configuration file without the .conf on the end).
I assume that you want to delete worship.luo.ma at the very least.
Given that you deleted the worship.luo.ma certificate, you will want to:
Rename worship.luo.ma-0001 to worship.luo.ma in the /etc/letsencrypt/archive and /etc/letsencrypt/live directories.
Update the symlinks in /etc/letsencrypt/live to remove -0001.
Rename worship.luo.ma-0001.conf to worship.luo.ma.conf in the /etc/letsencrypt/renewal directory.
Open /etc/letsencrypt/renewal/worship.luo.ma.conf with your favorite text editor and change all 5 mentions of worship.luo.ma-0001 to worship.luo.ma.
Look through your Apache configuration and change any mention of worship.luo.ma-0001 to worship.luo.ma. Make certain that any certificates you have deleted are not mentioned anywhere. Reload Apache with apachectl -k graceful after you've made your changes.
If you want to "disable" a certificate:
Create a /etc/letsencrypt/non-renewal directory.
Move the configuration files of the certificates you want to "disable" from /etc/letsencrypt/renewal to /etc/letsencrypt/non-renewal.
Make absolutely certain that you do not include any of the "disabled" domain names on a new certificate request.
I think you posted your response about 6 hours after I sent the information that you asked for. That's pretty quick in my book, especially when you're helping me…for free!
Well, I'm glad not to have screwed things up too badly
Your instructions were very clear, and I was able to follow them very easily.
/Library/Server/Web/Config/apache2/httpd_server_app.conf replaces /etc/apache2/httpd.conf on macOS and has no mention of worship.luo.ma or the other 2 domains in it.
fgrep -i worship /Library/Server/Web/Config/apache2/*.conf had no results
I also ran this: fgrep -i worship /Library/Server/Web/Config/apache2/sites/*.conf
They are all still valid, although the permissions and group ownership are slightly different. Not sure if that matters.
I re-ran sudo certbot certificates and saw this error:
Renewal configuration file /etc/letsencrypt/renewal/worship.luo.ma.conf produced an unexpected error: target /etc/letsencrypt/archive/worship.luo.ma-0001/cert1.pem of symlink /etc/letsencrypt/live/worship.luo.ma/cert.pem does not exist. Skipping.
Ah, so there's a link that's pointing to the old directory.
To fix that, I did this:
% cd /etc/letsencrypt/live/worship.luo.ma
% ls ../../archive/worship.luo.ma/cert*pem
../../archive/worship.luo.ma/cert1.pem
% sudo rm /etc/letsencrypt/live/worship.luo.ma/cert.pem
% sudo ln -s ../../archive/worship.luo.ma/cert1.pem cert.pem
Then I re-ran sudo certbot certificates and saw this error:
Renewal configuration file /etc/letsencrypt/renewal/worship.luo.ma.conf produced an unexpected error: target /etc/letsencrypt/archive/worship.luo.ma-0001/privkey1.pem of symlink /etc/letsencrypt/live/worship.luo.ma/privkey.pem does not exist. Skipping.
I should have seen that coming.
I checked all the files in that folder, and realized there were 3 other files / links that need to be updated: chain.pem, fullchain.pem, and privkey.pem.
Q1: I assume that I should renew worship.luo.manow so that it will (almost) be lined up with the other domains, which are all due for renewal in 88 days? That way (I think) I should be able to renew all of them at the same time next time they are due.
Staggering your renewals can be advisable for debugging/load purposes, but given that you're not simultaneously renewing 10,000 certificates, you should be alright.