Lets encrypt certificate path

This is in relation to certificate path that is being generated when we replace a cert with a new one.
I am running a script to replace all certs with older expired chain with new one .

The command that i am currently using for generating the cert is
/usr/local/bin/certbot certonly --webroot -w /apps/www/letsencrypt -d $domain --no-bootstrap --expand --preferred-chain "ISRG Root X1" --force-renewal

I am getting two location where the certs are being genarated , one being the exact domain name and the other with "-0001" appended into domain. so the "-0001" is creating problem as i need to update it in nginx configuration


On what factors does this depend. Any help would be appreciated.

Cerbot version - 1.20.0
webserver - nginx

The -0001 generally means that you issued a cert for a similar name but the cert did NOT include the exact same set of names as on the first one. So now you have two cert.
Check with:
cerbot certificates
That could be as simple as one cert has example.com & www.example.com while the other only has www.example.com.

Got it , so earlier the certificates were generated for both www.theburgercoast.in theburgercoast.in,
but now since i have requested it for only one (www.theburgercoast.in) name so it has created a new set of certificates particular to "www.theburgercoast.in"

Certificate Name: www.theburgercoast.in-0001
Serial Number: 35e23db33b27321efec3aa46ef0fd4e38eb
Key Type: RSA
Domains: www.theburgercoast.in
Expiry Date: 2022-01-15 15:33:12+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.theburgercoast.in-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.theburgercoast.in-0001/privkey.pem
Certificate Name: www.theburgercoast.in
Serial Number: 38997dd7231ca9042e6929fe813ef67112f
Key Type: RSA
Domains: www.theburgercoast.in theburgercoast.in
Expiry Date: 2021-11-29 03:52:28+00:00 (VALID: 42 days)
Certificate Path: /etc/letsencrypt/live/www.theburgercoast.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.theburgercoast.in/privkey.pem

So i need to to identify the certs with www and without it.

You should just delete the cert with the single name.
Then renew the cert with both names (when needed).

Thanks mate, will definitely try that.

1 Like

Also, if you wanted to force the --preferred-chain "ISRG Root X1" option on an existing certificate, you can do that by using it in combination with certbot renew. No need to use the whole certbot certonly blahblah command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.