I ran this command: certbot certificates
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: mail.mainDomain.com
Domains: mail.mainDomain.com mail.newDomain.com mail.secondDomain.com mail.thirdDomain.com mail.fourthDomain.co.uk mail.fifthDomain.com mail.sixthDomain.co.uk webmail.mainDomain.com webmail.newDomain.com webmail.secondDomain.com webmail.thirdDomain.com webmail.fourthDomain.co.uk webmail.fifthDomain.com webmail.sixthDomain.co.uk
Expiry Date: 2018-12-03 06:26:25+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/mail.mainDomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.mainDomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
My web server is (include version): nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS
My hosting provider, if applicable, is: DO
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
I received a mail last week, from expiry@letsencrypt.org stating that the certificates for a number of my domains will expire in 20 days (on 26 Sep 18).
The mail lists my various domains and also recommends renewing certificates automatically when they have a third of their total lifetime left.
These certificates are on my iRedMail mail server upon which I had to pay the creator of iRedMail for his support in applying additional domains for their mail service on the mail server. Unfortunately, he wasn’t very helpful when I asked for specific instructions to enable me to add further domains in the future (providing just a few very scant bullet points) and consequently I’m now left picking up the pieces trying to figure out what to do.
Looking at bash’s history file, I can see the following commands were issued:
apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot
Looking at https://certbot.eff.org/lets-encrypt/ubuntuartful-nginx and using its dropdowns to provide the specific install instructions for Ubuntu it provides:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
It therefore seems as though the correct install command (apt-get install python-certbot-nginx) for my (Ubuntu Nginx) server was not used.
Q1 What’s the impact of using ‘apt-get install certbot’ versus ’ apt-get install python-certbot-nginx’?
Q2 Is it safe to reinstall using the correct command: 'apt-get install python-certbot-nginx’?
This is a live mail server, which I need to ensure it keeps running, so would doing another install overwrite the previous install/config?
I then saw that the following command was used:
certbot certonly --webroot -w /var/www/html -d
Q3 Is there any point in doing the above command? Especially if followed shortly after with:
certbot certonly --webroot -w /var/www/html -d mainDomain.com -d mail.mainDomain.com -d webmail.mainDomain.com -w /var/www/vhosts/thirdDomain.com -d thirdDomain.com -d mail.thirdDomain.com -d webmail.thirdDomain.com -w /var/www/vhosts/oldDomain.com -d oldDomain.com -d mail.oldDomain.com -d webmail.oldDomain.com -w /var/www/vhosts/olderDomain.com -d olderDomain.com -d mail.olderDomain.com -d webmail.olderDomain.com
Shortly followed with:
get_cert.sh
which contained:
certbot certonly --webroot \
-w /var/www/vhosts/webmail.mainDomain.com \
-d mail.mainDomain.com \
-d webmail.mainDomain.com \
-w /var/www/vhosts/webmail.thirdDomain.com \
-d mail.thirdDomain.com \
-d webmail.thirdDomain.com \
-w /var/www/vhosts/webmail.oldDomain.com \
-d mail.oldDomain.com \
-d webmail.oldDomain.com \
-w /var/www/vhosts/webmail.olderDomain.com \
-d mail.olderDomain.com \
-d webmail.olderDomain.com \
-w /var/www/vhosts/webmail.fifthDomain.com \
-d mail.fifthDomain.com \
-d webmail.fifthDomain.com
I can see a script in /etc/cron.weekly that calls get_cert.sh, but it seems from the upcoming expiry date that the certificates are (at 20 days to expire) well under the recommended 30 days auto renew timescale.
I then tried to remove some of the domains and at the same time some other domains, using this command (based on his earlier command):
certbot certonly --webroot -w /var/www/html -d mail.mainDomain.com -d webmail.mainDomain.com -w /var/www/vhosts/webmail.newDomain.com -d mail.newDomain.com -d webmail.newDomain.com -w /var/www/vhosts/webmail.secondDomain.com -d mail.secondDomain.com -d webmail.secondDomain.com -w /var/www/vhosts/webmail.thirdDomain.com -d mail.thirdDomain.com -d webmail.thirdDomain.com -w /var/www/vhosts/webmail.fourthDomain.co.uk -d mail.fourthDomain.co.uk -d webmail.fourthDomain.co.uk -w /var/www/vhosts/webmail.fifthDomain.com -d mail.fifthDomain.com -d webmail.fifthDomain.com -w /var/www/vhosts/webmail.sixthDomain.co.uk -d mail.sixthDomain.co.uk -d webmail.sixthDomain.co.uk
*note: oldDomain.com and olderDomain.com have been removed and newDomain.com, fourthDomain.co.uk and sixthDomain.co.uk have been added…
Q5 Is that the right approach / syntax?
So, my situation is now that I have all domains (including my recent additional domains) on the mail server working for their https://mail..com and https://webmail..com services.
However, the above mentioned expiry@letsencrypt.org mail still has some of the old domains included which I thought I’d removed.
Q6 How can I definitively find out what certificates are included within my Let’s Encrypt subscriber account?
I’ve read from the letsencrypt.org site that: “The contact email provided when creating accounts (aka registrations) should go to the Subscriber.”
When I use the ‘certbot certificates’ command on my server it correctly displays the current domains, as specified at the top of this post.
So I don’t understand why the email contained the old domains?
I’m guessing that my Let’s Encrypt subscriber account might well have (duplicate?) certificates that aren’t being used. If so, I’d like to clean that up so I only have valid certs for my domains.
Any help greatly appreciated and apologies for the long winded post, but I though it better to be as detailed as possible.