Link point to wrong certs

Please fill out the fields below so we can help you better.

My domain & with www alias for both
I ran this command: certbot --apache once each.
It produced this output: valid certificates created, I thought.
My operating system is (include version):RHEL7
My web server is (include version):Apache
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I initially created, then and, then expanded

What I ended up with is a valid cert for but the links in the file points to the cert file. And, is also valid.

The certs for and look ok.

I have directories/files in the /etc/letsencrypt/live/ for,, and, but not for

I only found this because I was running tests to be sure the renew feature would run without error before I put it in a cron job, and it didn’t list

What’s the best way to fix this mess? Did I completely botch this beyond repair?


Hi @mtaylor,

The subdirectories in live (which also correspond to the names of the .conf files in renewal) are what we have chosen to call “lineages” (more recently also “cert names”). They are chosen based on the first name mentioned on the command line when the certificate was originally obtained, which doesn’t reflect other names that might also be covered by the certificate (up to 100 names in all), and doesn’t change if names are added to or removed from the cert. If you run Certbot with a set of names that isn’t a superset of the coverage of an existing cert, the default is to try to make a completely new lineage, even if it overlaps partly with a previous lineage.

You can find out the exact names covered by each cert by running certbot certificates. If that’s different from what you want, it’s now possible to delete a lineage via certbot delete (you can specify the lineage name with --cert-name). Note that if you delete a lineage that is currently referenced in your Apache config, your Apache config may break and Apache may fail to start; deleting a lineage doesn’t remove configuration changes that Certbot may have made to web server configs.

1 Like

Thanks for the reply. The ‘certbot certificates’ produces the error ‘certbot: error: unrecognized arguments: certificates’

What do you think my fix is for this? Delete all lineages and start over?

I think this may have started when I did not know how to answer the question whether I wanted to allow http and https or to force https. I’m still not sure what happens when I answer this. And, I initially chose all four domains. (I now know to do the two separately.)

This is my machine in my office and can edit conf files easily, and quite familiar with now to manage them. Just not sure what the certbot program does all the time.


Ah, certbot certificates was added in a newer release, so you’re not running the most current version (which is common if you’re using an OS package).

You can also find out the content of the certificates with

for cert in /etc/letsencrypt/live/*/cert.pem; do echo $lineage contents: openssl x509 -in "$cert" -text -noout echo done

Maybe that will help clarify what’s happened here.

I’m thinking that once you know what’s in which lineage, you can just delete the ones that you don’t want, and you shouldn’t necessarily have to start from scratch.

Ok, if I read this right:

CN =

CN =

CN =

And yes, I have the RHEL7 EPEL certbot 0.9.3 version.

What do you recommend?

What did you want to have as your end state? One certificate for and, and another certificate for and

I want and both be secured by one cert. and secured by one cert.

I’m guessing…

  1. Revoke the certificate.
  2. Make sure links in point to the lineage.
  3. Extend to include
    4 Create a new cert for and


I would say you could delete the certificate (hopefully your Certbot is recent enough to understand --delete, otherwise you can manually delete /etc/letsencrypt/renewal/ and the two directories hierarchies /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ and then expand the certificate to include, and expand the certificate to include

Hopefully your Apache configuration won’t be broken in the first step, but you can edit the Apache configuration files manually to refer to other certs if it is.

Excellent schoen. Thank you very much.

It took some doing, removing directories and certs, and remembering to refresh the browser but they are all as I want/need them. On to the next ones soon.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.