Link point to wrong certs


#1

Please fill out the fields below so we can help you better.

My domain is:inverness.org & fortbrown.com with www alias for both
I ran this command: certbot --apache once each.
It produced this output: valid certificates created, I thought.
My operating system is (include version):RHEL7
My web server is (include version):Apache
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I initially created fortbrown.com, then inverness.org and www.inverness.org, then expanded fortbrown.com

What I ended up with is a valid cert for fortbrown.com but the links in the fortbrown.com.conf file points to the www.inverness.org cert file. And, www.fortbrown.com is also valid.

The certs for inverness.org and www.inverness.org look ok.

I have directories/files in the /etc/letsencrypt/live/ for fortbrown.com, inverness.org, and www.inverness.org, but not for www.fortbrown.com

I only found this because I was running tests to be sure the renew feature would run without error before I put it in a cron job, and it didn’t list www.fortbrown.com

What’s the best way to fix this mess? Did I completely botch this beyond repair?

Thanks
Mark


#2

Hi @mtaylor,

The subdirectories in live (which also correspond to the names of the .conf files in renewal) are what we have chosen to call “lineages” (more recently also “cert names”). They are chosen based on the first name mentioned on the command line when the certificate was originally obtained, which doesn’t reflect other names that might also be covered by the certificate (up to 100 names in all), and doesn’t change if names are added to or removed from the cert. If you run Certbot with a set of names that isn’t a superset of the coverage of an existing cert, the default is to try to make a completely new lineage, even if it overlaps partly with a previous lineage.

You can find out the exact names covered by each cert by running certbot certificates. If that’s different from what you want, it’s now possible to delete a lineage via certbot delete (you can specify the lineage name with --cert-name). Note that if you delete a lineage that is currently referenced in your Apache config, your Apache config may break and Apache may fail to start; deleting a lineage doesn’t remove configuration changes that Certbot may have made to web server configs.


#3

Thanks for the reply. The ‘certbot certificates’ produces the error ‘certbot: error: unrecognized arguments: certificates’

What do you think my fix is for this? Delete all lineages and start over?

I think this may have started when I did not know how to answer the question whether I wanted to allow http and https or to force https. I’m still not sure what happens when I answer this. And, I initially chose all four domains. (I now know to do the two separately.)

This is my machine in my office and can edit conf files easily, and quite familiar with now to manage them. Just not sure what the certbot program does all the time.

Mark


#4

Ah, certbot certificates was added in a newer release, so you’re not running the most current version (which is common if you’re using an OS package).

You can also find out the content of the certificates with

for cert in /etc/letsencrypt/live/*/cert.pem; do echo $lineage contents: openssl x509 -in "$cert" -text -noout echo done

Maybe that will help clarify what’s happened here.

I’m thinking that once you know what’s in which lineage, you can just delete the ones that you don’t want, and you shouldn’t necessarily have to start from scratch.


#5

Ok, if I read this right:

CN = fortbrown.com
DNS = fortbrown.com

CN = inverness.org
DNS = inverness.org

CN = www.inverness.org
DNS = fortbrown.com inverness.org www.inverness.org

And yes, I have the RHEL7 EPEL certbot 0.9.3 version.

What do you recommend?


#6

What did you want to have as your end state? One certificate for www.inverness.org and inverness.org, and another certificate for www.fortbrown.com and fortbrown.com?


#7

I want inverness.org and www.inverness.org both be secured by one cert.
fortbrown.com and www.fortbrown.com secured by one cert.

I’m guessing…

  1. Revoke the www.inverness.org certificate.
  2. Make sure links in fortbrown.com.conf point to the fortbrown.com lineage.
  3. Extend fortbrown.com to include www.fortbrown.com
    4 Create a new cert for inverness.org and www.inverness.org

Close?


#8

I would say you could delete the www.inverness.org certificate (hopefully your Certbot is recent enough to understand --delete, otherwise you can manually delete /etc/letsencrypt/renewal/www.inverness.org.conf and the two directories hierarchies /etc/letsencrypt/live/www.inverness.org and /etc/letsencrypt/archive/www.inverness.org) and then expand the fortbrown.com certificate to include www.fortbrown.com, and expand the inverness.org certificate to include www.inverness.org.

Hopefully your Apache configuration won’t be broken in the first step, but you can edit the Apache configuration files manually to refer to other certs if it is.


#9

Excellent schoen. Thank you very much.

It took some doing, removing directories and certs, and remembering to refresh the browser but they are all as I want/need them. On to the next ones soon.

Thanks
Mark


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.