Hello!
I know I'm replying years later, but I recently had this issue, and this solution worked for me in the three servers I am running CertBot:
Has far as I understand, sometimes for some reason when you add a domain in your CertBot command when you already have a Certificate, a duplicate Certificate is created, leaving the old one appended with 0001, and creating a new one with the new domain added, without 0001.
The name of a certificate is the same as the first domain after -d in the command.
So for example, if you create a certificate (for example with webroot plugin):
./certbot-auto --webroot -w /var/www/html -n -d example.com -d existing.com
The name of it (you can consult your certificates with ./certbot-auto certificates) would be "example.com"
Now if you add a new domain to that certificate, using --expand flag, is when a duplicate certificate would be generated:
./certbot-auto --webroot -w /var/www/html -n --expand -d example.com -d existing.com -d newdomain.com
And you might have a new certifcate called "example.com-0001". The certificates would be now:
- example.com-0001 that contains the domains: example.com, existing.com
- example.com that contains the domains: example.com, existing.com, newdomain.com
The same when removing a domain from the certificate.
So the solution I found for this is stop using --expand flag in the first place, as the official doc says:
Consider using
--cert-nameinstead of--expand, as it gives more control over which certificate is modified and it lets you remove domains as well as adding them.
(User Guide — Certbot 2.7.0.dev0 documentation)
First, you can delete the old certificates and then check that they are not being used in fact:
./certbot-auto delete --cert-name example.com-0001
And now, using --cert-name flag, add the new domain. This flag would add to the Certificate Name specified the domains wanted:
./certbot-auto --webroot -w /var/www/html -n --cert-name example.com -d example.com -d existing.com -d newdomain.com
Remember to add all the domains, otherwise it would "smash" the domains you had certificated. And also remember of the rate limit of 100 domains per certificate.
Hope it helps.
Thanks.