LetsEncrypt cert. vs wild-cart cert for the same domain


#1

Hi,

A few months ago, we generated an FQDN certificate host1.example.com, and installed it on that server, along with the Certbot to do on-demand renewal via cron.
Meanwhile, we ended up needing a wild-card certificate for number of other FQDNs, all under example.com, and bought a certificate from a CA.

At some point, the LetsEncrypt cert. reported to had expired (even though it shouldn’t have), and the Certbot wouldn’t renew it, saying no renewal is required. So, instead of bothering to figure out what’s the problem with the host1.example.com certificate, we installed the wild-card cert on that box.
Couple of days ago, we got notification that host1.example.com will expire in 3 weeks.

My question is: How will this LetsEncrypt certificate expiry reflect on our server, now secured with a wild-card cert for example.com, bought from the CA?

Thanks,
Milos.


#2

I suspect that certbot renewed the certificate locally, but this wasn’t loaded into your apache / nginx … hence certbot said it didn’t need renewal, however checking in the browser would suggest it did need renewal. I’d check in /etc/letsencrypt/live/domain … for the certificates and check the dates there.

In many ways it won’t be affected. There are a number of things here;

  1. The email notification. This would be purely from the letsencrypt servers, looking at past records that it needed renewing. It doesn’t check what’s on the server or anything.
  2. Certbot itself, will check what’s on the server in /etc/letsencrypt/live/domain… and if you have a cron, renew when required. It doesn’t check what your server is actually using.
  3. If you are using the wildcard, from another CA, then you are independent of the Let’s Encrypt cert, so you don’t need to renew and can ignore the renewal process. I’d suggest removing your certbot cron in this case, and ignore the warning emails.

#3

Thanks Andy.

As far as I recall, I linked the certs uses so that Certbot would freshen up the certs used, and only this latest e-mail prompted me to start questioning how previous setup might affect the current one.

Crons were stopped the day I installed the Wildcard, although I haven’t yet removed everything from the LetsEncrypt setup from the box. I’m looking at it all now, and can’t figure out what transpired back then.

But not that it matters, considering we have a wild-card certificate to use.

Regards,
Milos.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.