How do I force certbot to issue my certificate for a new domain and not an old one?

Help
#1

My domain is: frick.blog. It was: davidfrick.xyz

I ran this command:

certbot --manual --preferred-challenges dns certonly \
    -d frick.blog
    ....
    (some other domains as well)

It produced this output: It reissued my certificate for my old domain name.
This is an issue because my mail server relies on that certificate and it seems people can not email me back without issue because it then looks for davidfrick.xyz

My certbot version is: 1.4.0
I can run any other commands on my server as needed.

1 Like
#2

Welcome to the Let's Encrypt Community, David :slightly_smiling_face:

Read @Osiris's comments in the next post before trying the command I have given below.

certbot certonly --cert-name frick.blog --manual --preferred-challenges dns -d "frick.blog,www.frick.blog,mail.frick.blog,david.frick.blog,www.david.frick.blog" --keep

Keep in mind that this command (like your original command) will only acquire the certificate. It will not install the certificate.

#3

Even when you didn't put that domain name on the command line? That shouldn't be happening.. And I'm very much doubting it. Could you paste the complete command and its complete output?

Also, you haven't issued a certificate for both those domains in December. Last certs are from November 14 and 25. You already have one for david.frick.blog, frick.blog, mail.frick.blog, www.david.frick.blog and www.frick.blog. What's wrong with that one? Your SMTP server is already using that certificate on port 25. However, your SMTP daemon identifies itself as davidfrick.xyz? You should update your server to use the correct hostname too.

@griffin As I see you've included the other hostnames, you should also realise that he already has that certificate, right? So running your suggested command doesn't help really.. It would probably only duplicate it, making it only more confusing.

1 Like
#4

@Osiris

I wrote the command to put the certificate for the new domain name under its own certificate name to prevent confusion. With the --keep it may not do anything other than affirm. I pointed @Frick-David at your post to resolve the other issues first.

1 Like
#5

That would leave him with two certificates in certbot, one called frick.box and the current mail.frick.box (I'm assuming, as that's the CommonName of the most recent cert).

I don't think getting more and more certificates is useful here. Your --keep won't do anything as you're also using --cert-name, which probably doesn't exist and would result in a double cert, increasing load on LE's systems et cetera.

1 Like
#6

Correct. It would be far clearer to have the certificate (and common name) be frick.blog. This is purely a management thing and not a functionality thing.

1 Like
#7

I would like to suggest to get to the bottom of the actual issue first before we'll get it more confusing by duplicating identical certificates to just get the name different...

Also, as the SMTP daemon already uses the correct certificate, renaming the cert would also mean re-configuring all the services already using that certificate.. Not worth the effort just for cosmetics IMHO.

1 Like
#8

Hence why I added this:

You may be right. I'm not sure what "some other domains" are in the OP though. If they're all related, no problem. If not, well... I know 100% that the command I gave will put the correct domain names in a correctly-named certificate. Failsafe.

#9

okay i will look into the smtp server. I think its linked to the correct cert. Odd...

1 Like
#10

They are all some version of frick.blog.

1 Like
#11

So my concern here is my certificate is in /etc/letsencrypt/live/mail.frick.blog/ ...

And both opensmtpd and dovecot point to that. I see no /etc/letsnecrypt/live/davidfrick.xyz as I had gotten rid of it.

Do I need to tell letsencrypt to use the new certifcate?
I am not sure where I went wrong?

1 Like
#12

How about we take a look at what certs you have, what names they cover, and when they will expire?
Please show:
certbot certificates

2 Likes
#13

And I'm not sure what the actual issue now really is... You have the certificate for your new domain already. Or is there something wrong with that one?

How is that a concern? Sounds pretty good to me.

2 Likes
#14

Out of curiosity: did you reload your mailserver software after acquiring the new certificate?

1 Like
#15

Sure, so it seems this might be the issue:
the command certbot certificates returns:

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/davidfrick.xyz.conf produced an unexpected error: expected /etc/letsencrypt/live/davidfrick.xyz/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mail.frick.blog-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/mail.frick.blog-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mail.frick.blog-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/mail.frick.blog-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mail.frick.blog-0003.conf produced an unexpected error: expected /etc/letsencrypt/live/mail.frick.blog-0003/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mail.frick.blog
    Serial Number: <removed>
    Domains: mail.frick.blog david.frick.blog frick.blog www.david.frick.blog www.frick.blog
    Expiry Date: <Not expired>
    Certificate Path: /etc/letsencrypt/live/mail.frick.blog/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.frick.blog/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/davidfrick.xyz.conf
  /etc/letsencrypt/renewal/mail.frick.blog-0001.conf
  /etc/letsencrypt/renewal/mail.frick.blog-0002.conf
  /etc/letsencrypt/renewal/mail.frick.blog-0003.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  
So it does seem like something happened with copies of keys or something.
Is there a way to clean this up?
1 Like
#16

Well so if they are pointed at the right certs. I am not sure why the smtp service is still using the old one per your comment. I did reload the services.

1 Like
#17

Yeah! There are some serious problems shown there.
To clean this mess, it seems like any cert name, other than "mail.frick.blog", should be deleted.

1 Like
#18

No point in redacting things...

1 Like
#19

Maybe the symlinks are jumbled?

Yep.

Run:
certbot update_symlinks

Then run:
certbot certificates

If all is well at that point, reload your server software.

There's more cleaning up to do at that point...

1 Like
#20

It looks like you've deleted stuff manually from the /live/ directory, can that be the case? If so, I'd like to advice using certbot delete --cert-name $name-of-cert

Now you have some left over files which weren't deleted, such as those renewal configuration files.

All Let's Encrypt certificates are send to certificate transparancy logs, so they are publically known. Also, we can find out the serial number and expiration date by just connecting to one of the services, such as your SMTP server. No need to redact those.

I thought mail.frick.box is the new certificate? The hostname I mentioned was in the SMTP 250 EHLO header response, wasn't certificate related.

Can you please tell us what issue you're actually running into? Do you have an error message for us? Perhaps a screenshot what the issue is?

2 Likes