Letsencrypt generated a domain-000x

august_t · September 14, 2016, 9:45am

Hi all,

I ran this command: letsencrypt-auto -d domaine_1,domaine_2,…,domaine_n --renew-by-default --no-redirect --text

So I work on multiple site at the same time, some had expired certi, so I renewed all of them yesterday, this command worked well, and all the error of expired cert from google chrome were gone. But this morning my main site couldn’t get the cert, I checked my /etc/letsencrypt/live file, and I got another one, my_domain.com-0001. I’m getting : NET::ERR_CERT_COMMON_NAME_INVALID.

I tried renewing with ./letsencrypt-auto certonly and it says it got renewed, so if you have any ideas

Thanks for the help!

serverco · September 14, 2016, 10:03am

It looks as if your certificate is only for beeshary.com yet you redirect all traffic to www.beeshary.com (for which the certificate isn’t valid).

If you are redirecting all traffic to the www. subdomain, then you need to generate a certificate which includes the www. subdomain.

august_t · September 14, 2016, 10:08am

When I generate the certificate, it shows me all the subdmain that are included, and they’re all included
I checked on OVH, and the SSL certificate is activated. So I really don’t see where that could come from.

serverco · September 14, 2016, 10:12am

OK, the certificate you are using only has the one though. Did you run things twice at some point, with a different set of domains selected - which is why it’s stored it with 000x on the end ( because it’s slightly different than the original).

Compare what you have in your apache confiig with the latest certs in the /etc/letsencrypt/live folder.

august_t · September 14, 2016, 10:20am

Well, yes I think, yesterday I used the command from my first post with all my domain, and since today it wasn’t working, I thought I might have forgot beeshary.com yesterday, so I ran the command again, only with beeshary.com.

In my /etc/apache2/sites-available I got 000-default.conf :

<VirtualHost *:80>
ServerName www.beeshary.com
ServerAlias beeshary.com

    ServerAdmin me@myselfandI.com
    DocumentRoot /var/www/beeshary

    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <directory /var/www/beeshary>
            Options -Indexes
            AllowOverride All
    </directory>

cool110 · September 14, 2016, 10:26am

By doing that you got rid of all the other names. Looking back at the CT logs you've had 3 different sets:

On the 4th of August you got: beeshary.com, blog.beeshary.com and www.beeshary.com
Yesterday you got: beeshary.com, bugtracker.beeshary.com, dev.beeshary.com, mail.beeshary.com, new.beeshary.com and shop.beeshary.com
Today you got 2 for beeshary.com only

august_t · September 14, 2016, 10:30am

Oh, ok so I did a huge mistake

Now, should I juste delete one of the beeshary and ask a new certificate for the other ones, or delete both and get a new certificate for all (and how do I delete them?)? (even if I only have the two beeshary.com, the other site works, like the dev or the shop).

Anyways, thanks a lot for the help!

cool110 · September 14, 2016, 10:40am

Judging by the face that the blog still works, you do still have valid certs for everything. But it’ll probably be easier to delete them all (both directories under live/ and archive/, as well as the .conf files in renewal/) and get one cert for everything.

After doing that then you should use letsencrypt-auto renew so there’s a lower risk of this happening again.

august_t · September 14, 2016, 10:54am

So, I tried moving the directories of beesahry.com and beeshary.com-000x out of live and archive, but when I ran letsencrypt-auto, it says he needed the /etc/letsencrypt/live/beeshary.com/cert.pem file, and displayed an error.

So i searched a bit, and openend the archive directory and found every files duplicated : cert1.pem cert2.pem etc… Couldn’t I just delete beeshary-0001 from archive and the duplicated files in beeshary ?

Or should I just delete all beeshary-000x files and make a new certificate?

(Sorry if I ask one more time, I just wanna make sure I don’t break everything ).

By searching even more, I found out that the cert used is the on in /etc/letsencrypt/archive/beeshary.com-0002/fullchain2.pem

cool110 · September 14, 2016, 1:10pm

That happened because you left the .conf files in renewal.

Yes, delete the ones with the numbers at the end in live, archive and renewal. Then use the --expand flag so the remaining cert set is updated instead of creating another one.

august_t · September 14, 2016, 1:19pm

So, I deleted all file with -000x numbers in archive, live and renewal, and when I run letsencrypt-auto --expand I get :

│ Error while running apache2ctl configtest.
│ Action ‘configtest’ failed.
│ The Apache error log may have more information.
│ AH00526: Syntax error on line 14 of │
│ /etc/apache2/sites-enabled/default-ssl.conf: │
│ SSLCertificateFile: file │
│ ‘/etc/letsencrypt/live/beeshary.com-0002/fullchain.pem’ does not │
exist or is empty

No installers seem to be present and working on your system; fix that or try running certbot with the “certonly” command

And hen I run it with “certonly” I get the same error.

cool110 · September 14, 2016, 1:25pm

Change SSLCertificateFile and SSLCertificateKeyFile in all your virtual host files to use the cert you are keeping/updating.

august_t · September 14, 2016, 1:31pm

It actually came to me just before you wrote it, so i changed the path, and now it tells me my .conf file is broken :

Renewal conf file /etc/letsencrypt/renewal/beeshary.com.conf is broken. Skipping.

But now the site is actually working even if loading really slowly, I have no idea why, I guess that when I asked for a new cert, it changed my SSLCertificateFile and key, and it couldn’t work anymore. But I’d still like to fix my .conf problem.

Anyway, thanks a lot to both of you for helping me, you saved me!

system · October 14, 2016, 1:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.