we have noticed that sometimes when Let’s Encrypt renew the certs, he change the certs directory.
For example, if the domain is “MYDOMAIN.COM”, the certs directory is:
/etc/letsencrypt/live/MYDOMAIN.COM/*
then, when renew becomes
/etc/letsencrypt/live/MYDOMAIN.COM-0001/*
That’s a problem, because for some services (like mail, or ftp) we need to know what is the actual (and renewed) certs, because we link the certificate outside (would say postfix or pureftpd).
Someone here, know, why happen that directory’s change, and why happen only certain times?
Enviroment information:
Command line that i had run: the certificat was release via ISPConfig
Output of that command: i don’t have, because was made by a cron procedure with no logs
Name and version of the SO and Webserver: Debian 8.7/Apache 2.4.10
I think it’s supposed to be the other way around.
Where /etc/letsencrypt/live/MYDOMAIN.COM/* is always the latest cert information.
Please show the public cert file in that folder (cert.pem).
Or simply check the dates on the files in both folders and compare.
This is a feature of the Certbot client and it happens when you change the list of domains that a certificate covers by removing at least one domain. For example, if you originally got a certificate for mydomain.com, www.mydomain.com, and forum.mydomain.com, and then you tried to get a certificate later on for only mydomain.com and forum.mydomain.com, the new certificate would be saved as mydomain.com-0001.
It looks like you’re running Certbot via ISPConfig rather than directly from the command line. So, it might be a little bit harder to figure out why ISPConfig is doing this (for example, why it requests certs that have fewer names than previous certs did).
You can learn more about the domain name coverage of each certificate by running certbot certificates from the command line.
Edit: This can also happen if you run Certbot with the --duplicate option, which might be recommended in some tutorials by people who were confused about the purpose of this option. (It is extremely rare that it’s beneficial to run Certbot with --duplicate.)