I am analyzing how we would use letsencrypt in our company. I already successfully issued and deployed 2 certs, but now want to think how to make the process scalable and work when using it for all of our websites with as much automation as possible.
I stumbled upon an issue: let’s say you issue a multidomain certificate for domains
domain.tld,s1.domain.tld,s2.domain.tld. It is available at
/etc/letsencrypt/live/domain.tld, to which I point my web server.
Now I setup a cron script to renew that every once in a while and use it that way successfully for some time. Everybody is happy.
Then I stop using the domain
s2.domain.tld for good (or I want to add it to another multidomain certificate) and to keep things clean, I want that domain to no longer be present in the certificate. So I remove the domain from the list - I start renewing only with domain list
domain.tld,s1.domain.tld. But at that moment, letsencrypt creates a new certificate location,
/etc/letsencrypt/live/domain.tld-0001. Aesthetic issues aside (my eyes really want to explode when looking at the “-0001” stuff), this messes things up as the web server still uses certificates from
/etc/letsencrypt/live/domain.tld and not the new ones, so it would require me to reconfigure the webserver to use the new ones. And if I wanted things clean, to also remove the
/etc/letsencrypt/live/domain.tld, or better, somehow “move”
/etc/letsencrypt/live/domain.tld, but I cannot see how I could do that without some downtime (and more importantly, it is a lot of hassle I don’t want to have).
So is there any way to “explain” to letsencrypt that I really want to stop using the
s2.domain.tld in that multidomain certificate, and that is should not create a new “branch” of certificates (i.e.
domain.tld-0001) and instead really remove the domain
s2.domain.tld from the existing (original) certificate “branch” in
UPDATE: I tried editing
/etc/letsencrypt/renewal/domain.tld and remove the
s2.domain.tld from the
domains key and the corresponding entry in
[[webroot_map]] section, but letsencrypt still creates the new
domain.tld-0001 “branch” in
/etc/letsencrypt/renewal/domain.tld-0001.conf differ only in this way:
--- /etc/letsencrypt/renewal/domain.tld.conf 2016-01-03 00:05:29.000000000 +0100 +++ /etc/letsencrypt/renewal/domain.tld-0001.conf 2016-01-03 00:05:48.00000000 0 +0100 @@ -1,7 +1,7 @@ -cert = /etc/letsencrypt/live/domain.tld/cert.pem -privkey = /etc/letsencrypt/live/domain.tld/privkey.pem -chain = /etc/letsencrypt/live/domain.tld/chain.pem -fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem +cert = /etc/letsencrypt/live/domain.tld-0001/cert.pem +privkey = /etc/letsencrypt/live/domain.tld-0001/privkey.pem +chain = /etc/letsencrypt/live/domain.tld-0001/chain.pem +fullchain = /etc/letsencrypt/live/domain.tld-0001/fullchain.pem # Options and defaults used in the renewal process [renewalparams] @@ -14,7 +14,7 @@ installer = none config_dir = /etc/letsencrypt-testonly text_mode = True -func = <function obtain_cert at 0x3665500> +func = <function obtain_cert at 0x2c4c500> staging = True prepare = False work_dir = /var/lib/letsencrypt
None of these two differences seem to really shed any light: the first one is obvious (if newly named “branch” is created, update the paths accordingly), and second one too (one function will have different addresses in two different letsencrypt runs).