Edit renewal parameters of certificate

I have installed SSL certificate for 2 domains:

1st domain

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/kotronis-plastics.gr
cert = /etc/letsencrypt/live/kotronis-plastics.gr/cert.pem
privkey = /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
chain = /etc/letsencrypt/live/kotronis-plastics.gr/chain.pem
fullchain = /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = account_Id...
[[webroot_map]]
www.kotronis-plastics.gr = /var/www/html/mysite
kotronis-plastics.gr = /var/www/html/mysite

2nd domain

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/scti.gr
cert = /etc/letsencrypt/live/scti.gr/cert.pem
privkey = /etc/letsencrypt/live/scti.gr/privkey.pem
chain = /etc/letsencrypt/live/scti.gr/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = apache
account = account_Id...
pre_hook = apachectl -k stop
post_hook = apachectl -k start

and I want to edit the renewal parameters of the 2nd certificate and set the same [renewalparams] as the 1st one.

If I edit the file /etc/letsencrypt/renewal/scti.gr.conf directly, will I mess my system? If yes, which is the right way to do this?

Thank you!

My domain is: www.scti.gr

My web server is (include version): Apache

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine: yes

You can absolutely change entries under [renewalparams] and it should work, as long as the changes make sense.

If you want to be totally safe, you can also just run the Certbot command for that domain that matches your intent, and Certbot will overwrite the renewal parameters for you.

e.g.

certbot -d scti.gr -d www.scti.gr -a webroot -i apache -w /var/www/xxx
1 Like

thanks for the quick reply! Just to be sure, If I just run only the command from root:

certbot -d scti.gr -d www.scti.gr -a webroot -i apache -w /var/www/html/scti-site

I will be ok?

Yes. It will probably ask you if you want to re-install the existing certificate, in which case, answer yes.

After you do that, the renewal parameters should be updated (I think).

Edit: actually, it seems like you have more domains on that certificate:

DNS Name: kotronis-plastics.gr
DNS Name: scti.gr
DNS Name: www.kotronis-plastics.gr
DNS Name: www.scti.gr

Make sure you include all the domains you need, not just the ones I mentioned.

Maybe check

certbot certificates

to make sure that you’re not issuing a pointless certificate.

The certificate of kotronis-plastics.gr is the 1st domain that I mention in my question. My problem is that the statements in the 2nd domain:

pre_hook = apachectl -k stop
post_hook = apachectl -k start

cause problems (see this post).

That’s why I want to edit the entries under [renewalparams]of the 2nd domain (scti.gr) in order to be the same as the 1st. So running only the command:

certbot -d scti.gr -d www.scti.gr -a webroot -i apache -w /var/www/html/scti-site

shouldn’t be enough?

It gives me pause because the certificate for kotronis-plastics.gr appears to cover scti.gr as well (all 4 names on one), which would make your second certificate redundant, and allow you to delete it.

For this reason I wanted you to check certbot certificates :slight_smile: .

ok! running the command: certbot certificates I get this output:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: scti.gr
    Domains: www.kotronis-plastics.gr,kotronis-plastics.gr,scti.gr,www.scti.gr
    Expiry Date: 2018-08-25 11:49:13+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/scti.gr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/scti.gr/privkey.pem
  Certificate Name: kotronis-plastics.gr
    Domains: kotronis-plastics.gr,www.kotronis-plastics.gr
    Expiry Date: 2018-08-25 23:12:09+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
  Certificate Name: mycloud.kotronis-plastics.com
    Domains: mycloud.kotronis-plastics.com
    Expiry Date: 2018-09-09 23:12:11+00:00 (VALID: 76 days)
    Certificate Path: /etc/letsencrypt/live/mycloud.kotronis-plastics.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mycloud.kotronis-plastics.com/privkey.pem
-------------------------------------------------------------------------------

The mycloud.kotronis-plastics.com doesn’t exist and I should delete it…

Also, What I have done ? :slight_smile: It seems I have 2 certs for the same domain?

In the folder /etc/letsencrypt/renewal there are the files

  1. kotronis-plastics.gr.conf
  2. mycloud.kotronis-plastics.com.conf
  3. scti.gr.conf

So, which certs should I delete?

You have a bit of redundant certificate coverage, but you’re actually using two of the certificates, so you can’t delete them.

To fix your immediate problem, I would suggest doing what you originally intended, but with a slight adjustment:

certbot --apache -d scti.gr -d www.scti.gr

In the end you should have

  • Separate certificates for your two domains.
  • The scti.gr certificate should no longer cover kotronis-plastics.gr
  • You won’t have the pre/post hooks anymore, and you’ll be using the Certbot Apache authenticator which automatically deals with the webroot and rewriting stuff.

For your non-existent domain:

certbot delete --cert-name mycloud.kotronis-plastics.com

Well, I run the commands

certbot --apache -d scti.gr -d www.scti.gr
certbot delete --cert-name mycloud.kotronis-plastics.com

no error came up. But then running the command certbot certificates I get this output

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: scti.gr
    Domains: www.kotronis-plastics.gr,kotronis-plastics.gr,scti.gr,www.scti.gr
    Expiry Date: 2018-08-25 11:49:13+00:00 (VALID: 60 days)
    Certificate Path: /etc/letsencrypt/live/scti.gr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/scti.gr/privkey.pem
  Certificate Name: kotronis-plastics.gr
    Domains: kotronis-plastics.gr,www.kotronis-plastics.gr
    Expiry Date: 2018-08-25 23:12:09+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
  Certificate Name: scti.gr-0001
    Domains: scti.gr,www.scti.gr
    Expiry Date: 2018-09-23 11:52:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/scti.gr-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/scti.gr-0001/privkey.pem
-------------------------------------------------------------------------------

Not quite what I had anticipated, but it should be fine.

Verify that your web server is no longer using /etc/letsencrypt/live/scti.gr/ (it’s now using the -0001 version) and then delete the old certificate/renewal parameters:

certbot delete --cert-name scti.gr

and you’re good to go.

Verify that your web server is no longer using /etc/letsencrypt/live/scti.gr/

In the folder /etc/apache2/sites-available the configuration file scti.gr-le-ssl.conf contains:

SSLCertificateFile /etc/letsencrypt/live/scti.gr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/scti.gr-0001/privkey.pem

I checked also that the kotronis-plastics.gr-le-ssl.conf contains:

SSLCertificateFile /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem

These are the settings, where I should check to verify that the domains are using the rights certificates?

Also just to be sure :slight_smile: if I run the command certbot delete --cert-name scti.gr The Certificate Name: scti.gr will be deleted and both my domains (scti.gr, kotronis-plastics.gr) will be working?

Thank you a lot for your assistance! :sunny:

Looks good to me. A final paranoid check should have no results:

sudo grep -Ri "/etc/letsencrypt/live/scti.gr/" /etc/apache2/sites-available/

and you’re safe to run the delete.

1 Like

No result came up from the grep.. command ! :smile:

_az Thanks a lot for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.