How to manage and add names to /etc/letsencrypt/live?

I am using the command certbot --nginx that generated all certificates… But all with only one and aleatory domain name…

  1. Can I change or choose the name? The name is the only file at /etc/letsencrypt/live.

  2. Ideal to my server is to use 2 or more certificates, one for each domain name (certifing its subdomains), can I do it?
    How to manage names, spliting a big certificate into “one certificate per domain”?

Hi @ppKrauss,

[quote=“ppKrauss, post:1, topic:38923”]
Can I change or choose the name? The name is the only file at /etc/letsencrypt/live.
Ideal to my server is to use 2 or more certificates, one for each domain name (certifing its subdomains), can I do it? [/quote]

Yes, when first creating the certificate you can use --cert-name to specify which name will be used in /etc/letsencrypt to refer to that certificate.

Certbot obtains one new certificate each time you run it. So the idea would be to run Certbot one time per domain, if that’s what you want, like

certbot certonly --nginx -d -d certbot certonly --nginx -d -d certbot certonly --nginx -d -d

If the names that you obtain certificates for are subdomains of the same domain, you might run into a rate limit (Certificates Per Registered Domain) by doing this.

If they are independent domains, this shouldn’t be a problem at all.

Thanks @schoen. About automation with certbot --nginx that read (parse) all and show to me, to decide what to do … It is a interactive mode. With the use of -d we lost lists and the interactive mode… How to preserve interactive mode?

EDIT: hum… here, the name is “autodiscovery”… I see but can’t test in production… "--installer that will help in domain names autodiscovery`"

Well, you can either choose the names from the menu or specify them on the command line. We don’t really have anything in between the two cases. If you don’t specify -d, you can still choose to include or exclude particular names interactively.

Hi, only checking, seems a bug. When do this sequence of steps,

  1. use certbot --nginx with (autodiscovery and) success… Generates a certificate for all domains: for MyName and MyName2.
  2. run certbot --nginx --cert-name MyName generates error. See dump below.
  3. run certbot --nginx… Same error. The sequence was destroied something that not was my intention, and is not evident for undo.

The error:

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] a duplicate listen in /etc/nginx/sites-enabled/MyName2:12
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] a duplicate listen in /etc/nginx/sites-enabled/MyName2:12\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)

Another bug: running certbot --nginx --cert-name domain2 not changes the list of domains, no filter for domain2, so no way to organize and group my certificates in two sets, one for --cert-name Domain1 other for --cert-name Domain2.

What version of Certbot are you using? I want to ask the developer who implemented this functionality, but I want to know if it could be a bug that’s been fixed in the meantime.

I didn't understand what you meant here. Could you describe this problem another way (or else in Portuguese)?

Hi @schoen, I am using certbot v0.14.2, at UBUNTU 16 LTS with Nginx v1.10.3… About first and second bug, was a non-reversible phenomenon :wink:

The problem, that I see as bug, is “how to back to the initial state?”. As workaround I used backup files of /etc/nginx/sites-available/ and my snippets/ssl-*.conf adapting to the changes of certbot.

There's an old little-used feature called certbot rollback which is meant for this situation. It should restore your server configuration that was modified by Certbot. You can also indicate the number of checkpoints to roll back with --checkpoints (the default is 1).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.