Hi,
I am analyzing how we would use letsencrypt in our company. I already successfully issued and deployed 2 certs, but now want to think how to make the process scalable and work when using it for all of our websites with as much automation as possible.
I stumbled upon an issue: let’s say you issue a multidomain certificate for domains domain.tld,s1.domain.tld,s2.domain.tld
. It is available at /etc/letsencrypt/live/domain.tld
, to which I point my web server.
Now I setup a cron script to renew that every once in a while and use it that way successfully for some time. Everybody is happy.
Then I stop using the domain s2.domain.tld
for good (or I want to add it to another multidomain certificate) and to keep things clean, I want that domain to no longer be present in the certificate. So I remove the domain from the list - I start renewing only with domain list domain.tld,s1.domain.tld
. But at that moment, letsencrypt creates a new certificate location, /etc/letsencrypt/live/domain.tld-0001
. Aesthetic issues aside (my eyes really want to explode when looking at the “-0001” stuff), this messes things up as the web server still uses certificates from /etc/letsencrypt/live/domain.tld
and not the new ones, so it would require me to reconfigure the webserver to use the new ones. And if I wanted things clean, to also remove the /etc/letsencrypt/live/domain.tld
, or better, somehow “move” /etc/letsencrypt/live/domain.tld-0001
to /etc/letsencrypt/live/domain.tld
, but I cannot see how I could do that without some downtime (and more importantly, it is a lot of hassle I don’t want to have).
So is there any way to “explain” to letsencrypt that I really want to stop using the s2.domain.tld
in that multidomain certificate, and that is should not create a new “branch” of certificates (i.e. domain.tld-0001
) and instead really remove the domain s2.domain.tld
from the existing (original) certificate “branch” in /etc/letsencrypt/live/domain.tld
?
UPDATE: I tried editing /etc/letsencrypt/renewal/domain.tld
and remove the s2.domain.tld
from the domains
key and the corresponding entry in [[webroot_map]]
section, but letsencrypt still creates the new domain.tld-0001
“branch” in /etc/letsencrypt
(in live
, archive
, renewal
). The /etc/letsencrypt/renewal/domain.tld.conf
and /etc/letsencrypt/renewal/domain.tld-0001.conf
differ only in this way:
--- /etc/letsencrypt/renewal/domain.tld.conf 2016-01-03 00:05:29.000000000 +0100
+++ /etc/letsencrypt/renewal/domain.tld-0001.conf 2016-01-03 00:05:48.00000000
0 +0100
@@ -1,7 +1,7 @@
-cert = /etc/letsencrypt/live/domain.tld/cert.pem
-privkey = /etc/letsencrypt/live/domain.tld/privkey.pem
-chain = /etc/letsencrypt/live/domain.tld/chain.pem
-fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem
+cert = /etc/letsencrypt/live/domain.tld-0001/cert.pem
+privkey = /etc/letsencrypt/live/domain.tld-0001/privkey.pem
+chain = /etc/letsencrypt/live/domain.tld-0001/chain.pem
+fullchain = /etc/letsencrypt/live/domain.tld-0001/fullchain.pem
# Options and defaults used in the renewal process
[renewalparams]
@@ -14,7 +14,7 @@
installer = none
config_dir = /etc/letsencrypt-testonly
text_mode = True
-func = <function obtain_cert at 0x3665500>
+func = <function obtain_cert at 0x2c4c500>
staging = True
prepare = False
work_dir = /var/lib/letsencrypt
None of these two differences seem to really shed any light: the first one is obvious (if newly named “branch” is created, update the paths accordingly), and second one too (one function will have different addresses in two different letsencrypt runs).
END UPDATE
Thanks,
Boris