I installed a cert on my server using the wildcard manual method. I realize this manual process has to occur every 90 days and this is the only way to renew. I want to remove this and install it the normal way so I can do it automatically using a cron job. I just need a guide on how to remove what I did and start over.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: ssltest.datastuff.systems
I ran this command: sudo certbot certonly --manual --preferred-challenges=dns --email firstname.lastname@example.org --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d datastuff.systems -d *.datastuff.systems
It produced this output: (The normal output, it worked)
My web server is (include version): Apache
The operating system my web server runs on is (include version): Debian 11
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): 1.12.0
Hi @skid2964, and welcome to the LE community forum
I'm a bit confused by the "and start over" part.
What would you like that new path to produce [that isn't being done by your current one]?
Currently, I have to renew manually, I want to be able to automate the renewal.
Will you still require a wildcard cert?
Since it means having to manually renew, No, I do not need or want a wildcard cert.
If you ever do need a wildcard, you can utilize the acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) project to automate this. It lets you run your own api driven DNS server specifically for LetsEncrypt validation, which can be taken on/offline by Certbot's pre/post hooks. The initial setup and testing of the server, and delegating your ACME challenges to it, usually takes under an hour.
The acme-dns approach works like this: You configure a dedicated nameserver on the public internet that will only serve acme-dns challenge responses. On initial enrollment of a domain, the acme-dns server will assign you a dedicated subdomain and API credentials for a desired domain. You then delegate your desired domain's "_acme-challenge" TXT record onto a subdomain the acme-dns server assigns you, and configure a certbot client hook (either based on GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns or https://github.com/joohoi/acme-dns-client) with the delegated domain and api credentials. Certbot will then automatically renew the domain by coordinating the challenges between the acme-dns server and client. You will never have to update the main DNS records once delegated to acme-dns, and in the event of a system compromise your API credentials are only able to affect acme-challenges – not real DNS records or accounts with vendors. It is the most (only?) secure way to automatically mange DNS records with Certbot.
With that ACME client, it does require manual processing.
But there may be other ACME clients, and other ways (as mentioned above) to automate the required
DNS-01 challenge authentication.
But since you don't really need a wildcard, then maybe we can just move forward without one [without having to move backwards].
What are the name(s) that need cert(s)?
I started with a Linux Debian Server with the default Cert from Linode, I ran the manual wildcard installation; now I want to take my server back to where it was before I ran the manual install; I want to remove it. I have several client Linodes/websites I've done this on, and I need a way to reverse it without having to build a new server and move their website.
You really don't need to remove the cert/undo anything.
You can simply get a new cert with whatever name(s) you need on it and just use that one.
Then delete the cert that you no longer need.
To delete the one I don't need, is it as simple as just deleting the two files? (fullchain.pem and privkey.pem)?
I deleted the directory and the associated .conf file. This gave me the results I needed.
(Linode Debian 11)
Do this using root:
rm -r /etc/letsencrypt/live#/[domain name]
rm /etc/letsencrypt/renewl#/[domain name].conf
Can do this using sudo:
removed references in sites-available .conf file, then ran sudo certbot --apache
There is also an /archive/ folder related to those
You might want to refer to this topic in the future
But, really, why was it so important to delete them from your server just to make a new one? Each time you renew that cert you'll get a new set. The symlink in the /live/ folder will point to the latest in /archive/
And, each new successful cert or renew will update the renewal conf file for next time.