Please fill out the fields below so we can help you better.
My domain is:inverness.org & fortbrown.com with www alias for both
I ran this command: certbot --apache once each.
It produced this output: valid certificates created, I thought.
My operating system is (include version):RHEL7
My web server is (include version):Apache
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no
I only found this because I was running tests to be sure the renew feature would run without error before I put it in a cron job, and it didn’t list www.fortbrown.com
What’s the best way to fix this mess? Did I completely botch this beyond repair?
The subdirectories in live (which also correspond to the names of the .conf files in renewal) are what we have chosen to call “lineages” (more recently also “cert names”). They are chosen based on the first name mentioned on the command line when the certificate was originally obtained, which doesn’t reflect other names that might also be covered by the certificate (up to 100 names in all), and doesn’t change if names are added to or removed from the cert. If you run Certbot with a set of names that isn’t a superset of the coverage of an existing cert, the default is to try to make a completely new lineage, even if it overlaps partly with a previous lineage.
You can find out the exact names covered by each cert by running certbot certificates. If that’s different from what you want, it’s now possible to delete a lineage via certbot delete (you can specify the lineage name with --cert-name). Note that if you delete a lineage that is currently referenced in your Apache config, your Apache config may break and Apache may fail to start; deleting a lineage doesn’t remove configuration changes that Certbot may have made to web server configs.
Thanks for the reply. The ‘certbot certificates’ produces the error ‘certbot: error: unrecognized arguments: certificates’
What do you think my fix is for this? Delete all lineages and start over?
I think this may have started when I did not know how to answer the question whether I wanted to allow http and https or to force https. I’m still not sure what happens when I answer this. And, I initially chose all four domains. (I now know to do the two separately.)
This is my machine in my office and can edit conf files easily, and quite familiar with now to manage them. Just not sure what the certbot program does all the time.
Ah, certbot certificates was added in a newer release, so you’re not running the most current version (which is common if you’re using an OS package).
You can also find out the content of the certificates with
for cert in /etc/letsencrypt/live/*/cert.pem; do echo $lineage contents: openssl x509 -in "$cert" -text -noout echo done
Maybe that will help clarify what’s happened here.
I’m thinking that once you know what’s in which lineage, you can just delete the ones that you don’t want, and you shouldn’t necessarily have to start from scratch.
I would say you could delete the www.inverness.org certificate (hopefully your Certbot is recent enough to understand --delete, otherwise you can manually delete /etc/letsencrypt/renewal/www.inverness.org.conf and the two directories hierarchies /etc/letsencrypt/live/www.inverness.org and /etc/letsencrypt/archive/www.inverness.org) and then expand the fortbrown.com certificate to include www.fortbrown.com, and expand the inverness.org certificate to include www.inverness.org.
Hopefully your Apache configuration won’t be broken in the first step, but you can edit the Apache configuration files manually to refer to other certs if it is.
It took some doing, removing directories and certs, and remembering to refresh the browser but they are all as I want/need them. On to the next ones soon.