How to remove manual wildcard installation and start over

I installed a cert on my server using the wildcard manual method. I realize this manual process has to occur every 90 days and this is the only way to renew. I want to remove this and install it the normal way so I can do it automatically using a cron job. I just need a guide on how to remove what I did and start over.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ssltest.datastuff.systems

I ran this command: sudo certbot certonly --manual --preferred-challenges=dns --email example@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d datastuff.systems -d *.datastuff.systems

It produced this output: (The normal output, it worked)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

Hi @skid2964, and welcome to the LE community forum :slight_smile:

I'm a bit confused by the "and start over" part.
What would you like that new path to produce [that isn't being done by your current one]?

4 Likes

Currently, I have to renew manually, I want to be able to automate the renewal.

1 Like

Will you still require a wildcard cert?

4 Likes

Since it means having to manually renew, No, I do not need or want a wildcard cert.

If you ever do need a wildcard, you can utilize the acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) project to automate this. It lets you run your own api driven DNS server specifically for LetsEncrypt validation, which can be taken on/offline by Certbot's pre/post hooks. The initial setup and testing of the server, and delegating your ACME challenges to it, usually takes under an hour.

Edit:

The acme-dns approach works like this: You configure a dedicated nameserver on the public internet that will only serve acme-dns challenge responses. On initial enrollment of a domain, the acme-dns server will assign you a dedicated subdomain and API credentials for a desired domain. You then delegate your desired domain's "_acme-challenge" TXT record onto a subdomain the acme-dns server assigns you, and configure a certbot client hook (either based on GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns or https://github.com/joohoi/acme-dns-client) with the delegated domain and api credentials. Certbot will then automatically renew the domain by coordinating the challenges between the acme-dns server and client. You will never have to update the main DNS records once delegated to acme-dns, and in the event of a system compromise your API credentials are only able to affect acme-challenges – not real DNS records or accounts with vendors. It is the most (only?) secure way to automatically mange DNS records with Certbot.

4 Likes

With that ACME client, it does require manual processing.
But there may be other ACME clients, and other ways (as mentioned above) to automate the required DNS-01 challenge authentication.

But since you don't really need a wildcard, then maybe we can just move forward without one [without having to move backwards].

What are the name(s) that need cert(s)?

4 Likes

I started with a Linux Debian Server with the default Cert from Linode, I ran the manual wildcard installation; now I want to take my server back to where it was before I ran the manual install; I want to remove it. I have several client Linodes/websites I've done this on, and I need a way to reverse it without having to build a new server and move their website.

You really don't need to remove the cert/undo anything.
You can simply get a new cert with whatever name(s) you need on it and just use that one.
Then delete the cert that you no longer need.

5 Likes

To delete the one I don't need, is it as simple as just deleting the two files? (fullchain.pem and privkey.pem)?

I deleted the directory and the associated .conf file. This gave me the results I needed.

(Linode Debian 11)

Do this using root:
rm -r /etc/letsencrypt/live#/[domain name]
rm /etc/letsencrypt/renewl#/[domain name].conf

Can do this using sudo:
removed references in sites-available .conf file, then ran sudo certbot --apache

Done!
Thank you!

1 Like

There is also an /archive/ folder related to those

You might want to refer to this topic in the future
https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

But, really, why was it so important to delete them from your server just to make a new one? Each time you renew that cert you'll get a new set. The symlink in the /live/ folder will point to the latest in /archive/

And, each new successful cert or renew will update the renewal conf file for next time.

5 Likes