Hi all.
I have made a number of tests and errors. Now I’d like to clean up everything and start afresh. What is the recommended procedure?
Revoking all certs, removing the relevant apache directives for all domains, removing /etc/letsconfig and issuing a new cert?
Thanks.
Before removing anything remember about the rate limits. If the last cert you created is right keep it and the associated config, then delete the configs for any other certs to avoid autorenew if you use that feature.
Thanks a lot. So:
- is the procedure I described the correct one?
- how do I know if I hit the rate limit, and when it will be lifted?
All the best.
That will work.
The rate limit is 5 certs in 7 days per domain, once you hit it you’ll just get an error message until one of the relevant existing certs is over 7 days old.
I see. So, better --duplicate a good one. My point is: how do I get rid of all the cruft, and remove all the useless dirs, and I stop having -0001, -0002 etc. dirs?
I cannot find it documented.
Thanks!
Under /etc/letsencrypt delete the ones you don’t want in archive, live and renewal. Don’t touch accounts, csr or keys.
Then rename the directories in archive, correct the symlinks in live and edit the conf file in renewal to reflect the new name.
1 Like
Thanks, will do!
Sorry to ask many questions (is there a better place to do it?): I understood using --duplicate would not issue a new certificate, but add other website to an existing one. I must be wrong, because this fails because I hit the number of cert limit.
Is there a way to add domains to a good cert?
Thanks so much, and sorry for abusing.
Any information changed in a certificate requires that a new one be issued. There is no way to “edit” an issued certificate.
Make sure to use the test/staging server when trying things out. It has a much higher limit and won’t affect you getting valid certificates when you’re ready.
The reason for the limit is because LE has to use OCSP to sign every issued certificate as good or bad, even revoked ones, until their issued expiration.
Hi @pcav, actually --duplicate does the exact opposite of what you want here. The reason you are getting the -0001, -0002 certs is that they are "duplicates" of existing certs and they were requested because you supplied --duplicate. The contrary option, which should do what you want (adding a name to an existing cert), is called --expand. That allows the certificate to "expand" to include the additional name or names.
Could you tell me where you learned about --duplicate so I could try to improve our documentation to avoid leading people astray this way? I can see one place in our documentation where we seem to give unclear or bad advice about this, but I'm wondering whether there are any others that I ought to try to fix.
I filed this issue expressing concern about the place that I know of where we suggest --duplicate.
But maybe there are others.
Sorry @schoen : I found it during my searches, but cannot find it back. I confirm that the documentation can be misleading, at least for a relative ignorant like me.
BTW, I got -001 even when not using --duplicate.
IMHO a --cleanup option would be useful.