ERROR "too many certificates already issued for exact set of domains" but crt.sh doesn't show any

ehda · September 11, 2017, 10:02am

Please fill out the fields below so we can help you better.

My domain is: ehda.co

I ran this command: /usr/local/sbin/certbot-auto --renew-by-default -d ehda.co

It produced this output:
first run:


The new certificate covers the following domains: https://ehda.co

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ehda.co
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ehda.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ehda.co/privkey.pem
   Your cert will expire on 2017-09-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

second run:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ehda.co
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: ehda.co
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache/2.4.25 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: DO

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am trying to renew expired certificate for ehda.co but the script failed with the error in title. I did a search at https://crt.sh/?q=%.ehda.co but it doesn’t show any certificates issued.

I had a problem on the last renewal because the cert was originally set up for www.ehda.co and ehda.co whereas since couple of months ago www.ehda.co moved to another cert provider. Cannot renew single certificate after originally using multiple ceritifactes for subdomains etc The solution described there is not working now: it did not issue any new certificate, the one that it generated was still expiring on 10 Sep (already expired). on second run, the “too many cert.” error was produced.

sahsanu · September 11, 2017, 10:21am

Hi @ehda,

Right now you have issued the following certs:

2017/September/11 12:16:01 - Checking certs for ehda.co

I have found 8 non expired certificates for domain ehda.co and its subdomains *.ehda.co

CRT ID     DOMAIN (CN)  VALID FROM              VALID TO                EXPIRES IN  SANs
207940090  ehda.co      2017-Sep-11 01:31 CEST  2017-Dec-10 00:31 CET   89 days     ehda.co
203875532  ehda.co      2017-Sep-04 01:31 CEST  2017-Dec-03 00:31 CET   82 days     ehda.co
200284159  ehda.co      2017-Aug-28 01:31 CEST  2017-Nov-26 00:31 CET   75 days     ehda.co
195099920  ehda.co      2017-Aug-21 01:31 CEST  2017-Nov-19 00:31 CET   68 days     ehda.co
190658938  www.ehda.co  2017-Aug-15 03:32 CEST  2017-Nov-13 02:32 CET   62 days     www.ehda.co
189953048  ehda.co      2017-Aug-14 01:31 CEST  2017-Nov-12 00:31 CET   61 days     ehda.co
173392445  www.ehda.co  2017-Jul-16 03:24 CEST  2017-Oct-14 03:24 CEST  32 days     www.ehda.co
154671833  www.ehda.co  2017-Jun-15 13:39 CEST  2017-Sep-13 13:39 CEST  2 days      www.ehda.co

So, today you issued at least a valid cert for domain ehda.co. Right now with this info there is no reason to get the error “too many certificates already issued for exact set of domains” but crt.sh is not updated immediately it could take a few hours to show the current issued certs for your domain.

By the way, using --renew-by-default option is not a good idea if you have already valid certificates.

Edit: crt.sh has been updated and yes, you have issued 6 certs today:

2017/September/11 12:55:34 - Checking certs for ehda.co

I have found 13 non expired certificates for domain ehda.co and its subdomains *.ehda.co

CRT ID     DOMAIN (CN)  VALID FROM              VALID TO                EXPIRES IN  SANs
208168865  ehda.co      2017-Sep-11 10:48 CEST  2017-Dec-10 09:48 CET   89 days     ehda.co
208168602  ehda.co      2017-Sep-11 10:47 CEST  2017-Dec-10 09:47 CET   89 days     ehda.co
208167285  ehda.co      2017-Sep-11 10:43 CEST  2017-Dec-10 09:43 CET   89 days     ehda.co
208166369  ehda.co      2017-Sep-11 10:40 CEST  2017-Dec-10 09:40 CET   89 days     ehda.co
208165285  ehda.co      2017-Sep-11 10:37 CEST  2017-Dec-10 09:37 CET   89 days     ehda.co
207940090  ehda.co      2017-Sep-11 01:31 CEST  2017-Dec-10 00:31 CET   89 days     ehda.co
203875532  ehda.co      2017-Sep-04 01:31 CEST  2017-Dec-03 00:31 CET   82 days     ehda.co
200284159  ehda.co      2017-Aug-28 01:31 CEST  2017-Nov-26 00:31 CET   75 days     ehda.co
195099920  ehda.co      2017-Aug-21 01:31 CEST  2017-Nov-19 00:31 CET   68 days     ehda.co
190658938  www.ehda.co  2017-Aug-15 03:32 CEST  2017-Nov-13 02:32 CET   62 days     www.ehda.co
189953048  ehda.co      2017-Aug-14 01:31 CEST  2017-Nov-12 00:31 CET   61 days     ehda.co
173392445  www.ehda.co  2017-Jul-16 03:24 CEST  2017-Oct-14 03:24 CEST  32 days     www.ehda.co
154671833  www.ehda.co  2017-Jun-15 13:39 CEST  2017-Sep-13 13:39 CEST  2 days      www.ehda.co

Cheers,
sahsanu

ehda · September 11, 2017, 11:51am

Hi @sahsanu,
thanks for the response. How can I use one of the certificates that I generated? in /etc/letsencrypt/live/ehda.co the symlink has been updates at 10:47 CEST today so it must be an unexpired certificate. The location is linked correctly from server config but the https address is still not working.

SSLCertificateFile /etc/letsencrypt/live/ehda.co/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ehda.co/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName ehda.co

sahsanu · September 11, 2017, 11:56am

Hi @ehda,

You need to restart/reload your web server.

Cheers,
sahsanu

ehda · September 11, 2017, 11:59am

I have before and now again, the problem persists.

sahsanu · September 11, 2017, 12:01pm

Show the output of this command:

openssl x509 -in /etc/letsencrypt/live/ehda.co/cert.pem -noout -text

Cheers,
sahsanu

ehda · September 11, 2017, 12:03pm

# openssl x509 -in /etc/letsencrypt/live/ehda.co/cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:8c:0f:24:91:bd:44:a2:ed:79:53:98:4a:01:04:a8:48:61
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Jun 12 05:54:00 2017 GMT
            Not After : Sep 10 05:54:00 2017 GMT
        Subject: CN = ehda.co
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:bc:a1:79:d4:47:57:ef:ac:cd:93:64:ca:6a:
                    5a:19:9f:9f:fb:ff:29:7d:4e:ad:90:3c:27:45:2a:
                    17:3a:62:55:d3:3b:2c:8b:29:b6:8b:64:b1:c6:cf:
                    67:7e:e5:bf:5c:ee:18:07:b6:01:21:41:49:cb:72:
                    78:b3:43:a7:1e:80:f8:c2:c0:d0:ab:d8:73:cd:3e:
                    32:45:98:8f:d5:fb:b9:33:6d:d2:b9:a7:b5:68:3d:
                    b3:85:56:83:a2:e4:10:93:8c:59:55:9c:ea:84:eb:
                    11:2f:04:a6:57:4c:8c:f2:f2:47:34:9f:b2:0c:1c:
                    29:d4:05:5a:8f:6a:fe:c1:bf:f7:98:c2:aa:0d:ed:
                    3d:46:6f:c8:4a:68:83:0b:ae:44:ec:fd:d9:be:7d:
                    1e:7f:db:6e:b6:3e:ae:64:04:33:82:ab:f6:65:58:
                    d7:a6:ee:f4:d0:87:fa:cb:63:7e:80:69:43:6e:4f:
                    93:b4:30:02:3f:6b:2f:6f:83:2e:03:bb:fc:09:71:
                    01:1a:d6:38:2c:ae:c7:55:a4:94:12:8f:8a:58:9e:
                    2b:f6:24:c9:3e:51:8f:5c:9b:cb:40:38:c4:90:09:
                    e6:4e:08:0f:24:b4:b9:bf:95:49:46:8a:17:f6:de:
                    3d:62:97:56:62:97:9a:f7:f0:89:d3:3d:1a:0a:31:
                    af:a9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                0A:EA:41:8D:2D:C9:70:F4:A2:38:6C:17:9F:E9:56:06:4D:BA:F8:97
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:ehda.co
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         18:41:c8:89:2b:b7:c8:2b:40:2a:81:31:bd:03:d0:56:e5:29:
         88:aa:52:a7:dd:0c:31:64:32:4a:ac:dc:12:39:7b:0d:80:0a:
         4c:9b:fc:ed:0a:ee:34:25:bb:3e:27:40:ea:1d:55:51:d1:54:
         85:64:5c:07:96:50:64:5d:76:40:47:a7:ec:81:0a:d8:69:d4:
         cf:9d:7a:9e:7a:3f:d5:a5:9d:b9:56:62:ac:f6:a6:95:70:d0:
         e0:84:3b:cd:b1:6f:22:b0:ba:82:57:93:c1:b6:72:24:bf:aa:
         fd:43:44:c4:67:68:8d:cc:a1:79:6f:c3:50:a3:46:44:e1:f4:
         df:a1:2c:2a:29:fd:ee:b8:40:4a:79:3f:ba:62:8a:49:8e:72:
         13:4a:ff:68:24:d8:25:65:e2:b9:87:22:32:51:da:1a:38:04:
         d2:30:fb:74:55:1d:89:6d:e9:47:a9:4b:83:aa:eb:44:41:a6:
         63:c2:47:78:56:e3:4e:b7:92:96:ff:34:88:b8:c0:c2:2e:db:
         f1:11:e3:86:44:10:db:25:89:db:f2:ea:77:8a:c3:58:8d:bb:
         b0:04:e9:de:a6:5a:4c:3b:92:33:35:d3:36:0a:a3:ff:58:90:
         02:3c:aa:1e:58:7e:e3:45:27:7c:6d:fd:9c:4c:33:9b:b2:08:
         59:57:b2:7b

ehda · September 11, 2017, 12:08pm

it was updated today during the cert generation but with an expired certificate:

:/etc/letsencrypt/live/ehda.co# ll
total 12
drwxr-xr-x 2 root root 4096 Sep 11 11:47 ./
drwx------ 4 root root 4096 Jun 12 09:42 ../
lrwxrwxrwx 1 root root   36 Sep 11 11:47 cert.pem -> ../../archive/ehda.co-0001/cert2.pem
lrwxrwxrwx 1 root root   37 Sep 11 11:47 chain.pem -> ../../archive/ehda.co-0001/chain2.pem
lrwxrwxrwx 1 root root   41 Sep 11 11:47 fullchain.pem -> ../../archive/ehda.co-0001/fullchain2.pem
lrwxrwxrwx 1 root root   39 Sep 11 11:47 privkey.pem -> ../../archive/ehda.co-0001/privkey2.pem
-rw-r--r-- 1 root root  543 Jun  1 12:39 README

sahsanu · September 11, 2017, 12:10pm

No, that certificate is not the right one so seems something messed up the /etc/letsencrypt structure.

Show the output of the following commands:

/usr/local/sbin/certbot-auto certificates

cat /etc/letsencrypt/renewal/ehda.co.conf

ehda · September 11, 2017, 12:10pm

ok I found the active certificate, its in /etc/letsencrypt/archive/ehda.co. can I manually update the live symlink to the new location?

ehda · September 11, 2017, 12:13pm

# /usr/local/sbin/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/ehda.co-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/ehda.co-0001/cert.pem to be a symlink. Skipping.

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: ehda.co
    Domains: ehda.co
    Expiry Date: 2017-09-10 05:54:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/ehda.co/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ehda.co/privkey.pem

The following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/ehda.co-0001.conf
-------------------------------------------------------------------------------

# cat /etc/letsencrypt/renewal/ehda.co.conf
# renew_before_expiry = 30 days
version = 0.18.1
cert = /etc/letsencrypt/live/ehda.co/cert.pem
privkey = /etc/letsencrypt/live/ehda.co/privkey.pem
chain = /etc/letsencrypt/live/ehda.co/chain.pem
fullchain = /etc/letsencrypt/live/ehda.co/fullchain.pem
archive_dir = /etc/letsencrypt/archive/ehda.co

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = b09ca8473d6913fadf1866b0a57083dd

there are 2 subdirectories under renewal:

-rw-r--r-- 1 root root  496 Jun 12 08:53 ehda.co-0001.conf
-rw-r--r-- 1 root root  438 Sep 11 11:47 ehda.co.conf

sahsanu · September 11, 2017, 12:18pm

Did you removed/renamed dirs?.

Show the output of these commands:

cat /etc/letsencrypt/renewal/ehda.co-0001.conf
ls -lRa /etc/letsencrypt/live
ls -lRa /etc/letsencrypt/archive

ehda · September 11, 2017, 12:26pm

not recently. I had a monthly cronjob for auto renewal /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log but found this morning the certificate was not updated while I didn’t get an expiration notice. I did make a change during the last renewal issue though (see below)

# cat /etc/letsencrypt/renewal/ehda.co-0001.conf
# renew_before_expiry = 30 days
version = 0.15.0
archive_dir = /etc/letsencrypt/archive/ehda.co-0001
cert = /etc/letsencrypt/live/ehda.co-0001/cert.pem
privkey = /etc/letsencrypt/live/ehda.co-0001/privkey.pem
chain = /etc/letsencrypt/live/ehda.co-0001/chain.pem
fullchain = /etc/letsencrypt/live/ehda.co-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = b09ca8473d6913fadf1866b0a57083dd
manual_public_ip_logging_ok = True

ls -lRa /etc/letsencrypt/live (there’s the change)

# ls -lRa /etc/letsencrypt/live
/etc/letsencrypt/live:
total 16
drwx------ 4 root root 4096 Jun 12 09:42 .
drwxr-xr-x 8 root root 4096 Sep 11 14:11 ..
drwxr-xr-x 2 root root 4096 Sep 11 11:47 ehda.co
drwxr-xr-x 2 root root 4096 Mar 20 02:30 ehda.co-old

/etc/letsencrypt/live/ehda.co:
total 12
drwxr-xr-x 2 root root 4096 Sep 11 11:47 .
drwx------ 4 root root 4096 Jun 12 09:42 ..
lrwxrwxrwx 1 root root   36 Sep 11 11:47 cert.pem -> ../../archive/ehda.co-0001/cert2.pem
lrwxrwxrwx 1 root root   37 Sep 11 11:47 chain.pem -> ../../archive/ehda.co-0001/chain2.pem
lrwxrwxrwx 1 root root   41 Sep 11 11:47 fullchain.pem -> ../../archive/ehda.co-0001/fullchain2.pem
lrwxrwxrwx 1 root root   39 Sep 11 11:47 privkey.pem -> ../../archive/ehda.co-0001/privkey2.pem
-rw-r--r-- 1 root root  543 Jun  1 12:39 README

/etc/letsencrypt/live/ehda.co-old:
total 8
drwxr-xr-x 2 root root 4096 Mar 20 02:30 .
drwx------ 4 root root 4096 Jun 12 09:42 ..
lrwxrwxrwx 1 root root   31 Mar 20 02:30 cert.pem -> ../../archive/ehda.co/cert5.pem
lrwxrwxrwx 1 root root   32 Mar 20 02:30 chain.pem -> ../../archive/ehda.co/chain5.pem
lrwxrwxrwx 1 root root   36 Mar 20 02:30 fullchain.pem -> ../../archive/ehda.co/fullchain5.pem
lrwxrwxrwx 1 root root   34 Mar 20 02:30 privkey.pem -> ../../archive/ehda.co/privkey5.pem
root@d:/etc/letsencrypt/renewal#

archive:

# ls -lRa /etc/letsencrypt/archive
/etc/letsencrypt/archive:
total 16
drwx------ 4 root root 4096 Jun  1 12:39 .
drwxr-xr-x 8 root root 4096 Sep 11 14:11 ..
drwxr-xr-x 2 root root 4096 Mar 20 02:30 ehda.co
drwxr-xr-x 2 root root 4096 Jun 12 08:53 ehda.co-0001

/etc/letsencrypt/archive/ehda.co:
total 88
drwxr-xr-x 2 root root 4096 Mar 20 02:30 .
drwx------ 4 root root 4096 Jun  1 12:39 ..
-rw-r--r-- 1 root root 1793 Jun  5  2016 cert1.pem
-rw-r--r-- 1 root root 1793 Sep  2  2016 cert2.pem
-rw-r--r-- 1 root root 1773 Sep 11 11:47 cert3.pem
-rw-r--r-- 1 root root 1793 Jan 16  2017 cert4.pem
-rw-r--r-- 1 root root 1793 Mar 20 02:30 cert5.pem
-rw-r--r-- 1 root root 1647 Jun  5  2016 chain1.pem
-rw-r--r-- 1 root root 1647 Sep  2  2016 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 11 11:47 chain3.pem
-rw-r--r-- 1 root root 1647 Jan 16  2017 chain4.pem
-rw-r--r-- 1 root root 1647 Mar 20 02:30 chain5.pem
-rw-r--r-- 1 root root 3440 Jun  5  2016 fullchain1.pem
-rw-r--r-- 1 root root 3440 Sep  2  2016 fullchain2.pem
-rw-r--r-- 1 root root 3420 Sep 11 11:47 fullchain3.pem
-rw-r--r-- 1 root root 3440 Jan 16  2017 fullchain4.pem
-rw-r--r-- 1 root root 3440 Mar 20 02:30 fullchain5.pem
-rw-r--r-- 1 root root 1704 Jun  5  2016 privkey1.pem
-rw-r--r-- 1 root root 1704 Sep  2  2016 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 11 11:47 privkey3.pem
-rw-r--r-- 1 root root 1704 Jan 16  2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Mar 20 02:30 privkey5.pem

/etc/letsencrypt/archive/ehda.co-0001:
total 40
drwxr-xr-x 2 root root 4096 Jun 12 08:53 .
drwx------ 4 root root 4096 Jun  1 12:39 ..
-rw-r--r-- 1 root root 1773 Jun  1 12:39 cert1.pem
-rw-r--r-- 1 root root 1773 Jun 12 08:53 cert2.pem
-rw-r--r-- 1 root root 1647 Jun  1 12:39 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 12 08:53 chain2.pem
-rw-r--r-- 1 root root 3420 Jun  1 12:39 fullchain1.pem
-rw-r--r-- 1 root root 3420 Jun 12 08:53 fullchain2.pem
-rw-r--r-- 1 root root 1708 Jun  1 12:39 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun 12 08:53 privkey2.pem
root@d:/etc/letsencrypt/renewal#

sahsanu · September 11, 2017, 12:31pm

I’m sorry, I need to leave now but in a couple of hours I’ll get back to you to resolve this issue, it is a mess

ehda · September 11, 2017, 12:33pm

@sahsanu thank you very much!

sahsanu · September 11, 2017, 1:54pm

I’m back, just last thing to check that this is a valid cert:

openssl x509 -in /etc/letsencrypt/archive/ehda.co/cert3.pem -noout -text

ehda · September 11, 2017, 2:09pm

yep that’s the new one.

# openssl x509 -in /etc/letsencrypt/archive/ehda.co/cert3.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:5e:61:82:e5:19:c5:91:d6:f4:6f:3e:33:fa:c7:42:2c:0e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Sep 11 08:48:00 2017 GMT
            Not After : Dec 10 08:48:00 2017 GMT
        Subject: CN = ehda.co
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:3a:24:af:4e:1b:c7:65:89:24:cd:d6:5d:2c:
                    0c:2b:d1:1d:3a:53:a9:cd:f4:b0:00:15:b3:c3:e8:
                    f3:a2:b1:44:09:ba:f6:3b:3c:92:fe:4a:e0:de:ce:
                    89:bb:b9:03:9d:42:1c:9e:8a:2c:cd:f4:8d:e7:28:
                    34:b0:05:10:ba:ef:c6:c2:96:2f:24:cd:26:9a:ad:
                    77:7d:d8:79:4d:e5:cb:61:2a:8d:03:0e:00:cc:ed:
                    b2:46:d5:37:12:0b:8f:7f:20:4f:08:0e:63:fc:9b:
                    c5:b8:59:67:69:30:dc:62:de:bb:65:ea:d5:6e:cb:
                    f1:19:b0:37:54:1e:54:02:b7:53:6c:5a:97:7b:1a:
                    1f:ad:31:b9:66:d7:c0:27:72:eb:7d:3a:33:d6:ab:
                    73:78:dd:01:a5:d4:70:e8:5c:72:5e:09:69:41:1d:
                    2f:72:39:01:7a:ec:54:4a:a4:fa:93:13:61:00:72:
                    94:ea:59:2a:67:c7:57:6c:0b:3c:89:f3:98:30:1a:
                    46:b3:61:57:a0:f3:55:05:54:d9:db:f2:8e:54:78:
                    ed:a1:fe:b2:48:ae:16:53:2b:1c:ae:9d:43:28:64:
                    23:2c:7a:b0:a1:80:c0:ae:9b:53:9e:93:ba:ff:c1:
                    2c:2e:2a:5b:ab:9e:8b:b7:ee:dc:0f:a6:58:3f:9f:
                    2b:d3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                3F:6A:FE:AD:4C:52:97:D1:DC:8B:59:9A:F6:4C:A4:D6:BE:2A:55:40
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:ehda.co
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         71:e9:ef:3f:d1:29:58:e5:a4:80:9a:2e:cf:b4:36:03:fb:4b:
         59:cf:1e:68:3a:25:82:67:d4:b1:f6:b5:6d:cd:0c:ff:5b:c2:
         c4:b2:e8:83:05:28:b7:f8:e0:9b:66:1f:d4:b4:97:be:6c:40:
         df:dc:fc:d7:1f:a0:43:12:27:28:11:f0:f3:42:c4:bb:6d:1c:
         db:6a:b6:76:3a:5e:02:20:a9:ca:97:df:ed:a9:ec:8e:bf:95:
         18:cd:9a:83:31:0c:16:f5:af:30:3a:41:f3:62:1f:f7:0d:84:
         6a:76:47:03:9e:4a:2c:a4:86:de:92:8a:d8:8e:5c:3c:ec:48:
         df:07:1e:6f:6a:2c:7e:9c:30:a3:3a:29:d9:cb:81:74:d8:db:
         2b:89:36:d7:8f:84:e0:58:4e:9c:0c:07:7d:11:c3:f0:f1:d2:
         ad:df:9f:6e:61:89:83:25:1e:05:ae:dc:dd:83:c0:3f:99:0c:
         39:58:9e:cd:de:07:34:f9:e3:80:57:7f:34:89:f4:7d:b1:be:
         80:9b:fa:55:a7:68:ed:3d:bd:de:0c:62:05:eb:f3:d6:8d:25:
         50:84:14:14:c8:73:c1:c6:96:ab:15:f1:7a:57:ba:94:bf:38:
         2c:30:9f:2a:ed:c0:b5:b9:3a:4e:05:17:2c:6d:99:f5:0d:d8:
         17:fc:15:4c

ehda · September 11, 2017, 2:18pm

@sahsanu i’ve manually updated the symlinks, the SSL now works. no idea how to prevent this mess though.

/etc/letsencrypt/live/ehda.co# ll
total 12
drwxr-xr-x 2 root root 4096 Sep 11 16:15 ./
drwx------ 5 root root 4096 Sep 11 16:16 ../
lrwxrwxrwx 1 root root   31 Sep 11 16:14 cert.pem -> ../../archive/ehda.co/cert3.pem
lrwxrwxrwx 1 root root   32 Sep 11 16:14 chain.pem -> ../../archive/ehda.co/chain3.pem
lrwxrwxrwx 1 root root   36 Sep 11 16:15 fullchain.pem -> ../../archive/ehda.co/fullchain3.pem
lrwxrwxrwx 1 root root   34 Sep 11 16:15 privkey.pem -> ../../archive/ehda.co/privkey3.pem
-rw-r--r-- 1 root root  543 Sep 11 16:12 README

sahsanu · September 11, 2017, 2:30pm

I was answering but you already performed the right change , ok, so now you should only clean up your house:

Before performing any change, backup your /etc/letsencrypt/ dir as root:

cd
tar zcvf letsencrypt-backup-2017-Sep-11.tar.gz /etc/letsencrypt/

Now remove unused dirs and files:

rm -rf /etc/letsencrypt/live/ehda.co-old/
rm -rf /etc/letsencrypt/archive/ehda.co-0001/
rm -f /etc/letsencrypt/archive/ehda.co/*4.pem
rm -f /etc/letsencrypt/archive/ehda.co/*5.pem
rm -f /etc/letsencrypt/renewal/ehda.co-0001.conf

And that should be enough.

Cheers,
sahsanu

ehda · September 11, 2017, 2:45pm

Thanks so much for the help