How to prevent creation of '/etc/letsencrypt/live/domain.tld-0001' when removing domains from a `domain.tld` multidomain certificate?

EdGeis · October 6, 2018, 1:19pm

I migrated the site to a new server in August and it must’ve happened then. When I copied over the /live/ directory I must not have properly preserved the symlinks. I think there’s a flag you use to do that when decompressing the directory, and I bet what happened is I didn’t use that flag. My best guess anyway.

Is the solution to create new symlinks to the files in archive? What’s the proper way to do that? Would it be:

ln -s /etc/letsencrypt/archive/mydomain.com/cert1.pem /etc/letsencrypt/live/mydomain.com/cert.pem

Then once that’s done, I can run cerbot renew (I’ll try a dry run first)?

Thanks for identifying the issue.

sahsanu · October 6, 2018, 4:13pm

Hi @EdGeis,

The right way should be this:

Before doing any change, please, backup (as user root):

tar zcvf /root/backup_etc_letsencrypt_2018-Oct-06.tar.gz /etc/letsencrypt/

And then, recreate the symbolic links pointing to the last files inside archive/mydomain.com

cd /etc/letsencrypt/live/mydomain.com/
ln -sf ../../archive/mydomain.com/cert2.pem cert.pem
ln -sf ../../archive/mydomain.com/chain2.pem chain.pem
ln -sf ../../archive/mydomain.com/fullchain2.pem fullchain.pem
ln -sf ../../archive/mydomain.com/privkey2.pem privkey.pem

Good luck,
sahsanu

EdGeis · October 9, 2018, 6:00pm

Got it…thank you. Will give this a try (I have a backup server I can test this on by modifying my .hosts file).

So next time it renews, does it add cert3.pem etc. to /etc/letscenrcrypt/archive/mydomain.com? Just wondering about the sequential numerals added to the file names there…

mnordhoff · October 10, 2018, 5:17am

Yes, and it will also automatically update the symlinks to point to cert3.pem and the other files.

EdGeis · October 11, 2018, 3:51pm

Got it, thanks. I just created the symlinks on a backup server and tried a renewal dry-run. Other than the DNS not pointing to the right IP because it’s a different server, everything else checked out OK. In the wee hours tonight I’ll do this on the production server and try a renewal, then report back. Should work…I guess the nuclear option would be to just vaporize /etc/letsencrypt/ and run certbot from the top again.

EdGeis · October 12, 2018, 9:42am

Success. It renewed this morning, zero downtime.

Learned a few more things about how Certbot works, so all in all I’m glad this happened. Thanks for the help.