Manually renewed after DNS error, now have -0001?

I have a domain phreak.co.uk which I migrated to Cloudflare a while ago. Just found that certbot didn't auto renew it because I'd made a mistake in the zone file import with CF. So I fixed that and ran:

certbot certonly -d phreak.co.uk

That has now renewed the cert, but with:

/etc/letsencrypt/live/phreak.co.uk-0001/fullchain.pem

The apache config is using:

/etc/letsencrypt/live/phreak.co.uk/fullchain.pem

I'm not sure why this happened (did I need to use --force?) but what's best to do in this situation? Using certbot 3.0.1 snap Ubuntu 22.04.

In the future, use certbot renew to renew existing certificates.

Also, use certbot certificates to see an overview of the certificates currently known to Certbot.

Also also, please update your Certbot version. I'm guessing you're running an ancient version, as it was more common to have these -000x lineages with old versions of Certbot. More recent versions have better certificate detection code to try to prevent these things.

No, it's almost never necessary or useful to use --force-renewal. Including in your case.

Thanks - so (and assuming from now on certbot renew will only use the -0001 version) the only thing I can do is change the apache config to have the -0001 cert?

What do I do with the original one now, delete it?

BTW I think I'm stuck with the version of certbot I have with the Ubuntu snap.

You assumed incorrectly.

Not necessarily. I suspect there is a difference in hostnames included in the two certificates, which was the reason why Certbot made the -0001 version in the first place. I would recommend to check certbot certificates to notice these differences and determine with which certificate you want to continue.

Certbot installed using snap should automatically update. Can you provide the version by running certbot --version?

Also, please post the output of certbot certificates so we can also look at your Certbot certificates.

Ah, certbot certificates shows my renewal didn't fix it properly

  Certificate Name: www.phreak.co.uk-0001
    Serial Number: 4a5eb695c65186fc73a45e54340dccf8a85
    Key Type: ECDSA
    Domains: www.phreak.co.uk
    Expiry Date: 2025-02-21 07:32:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.phreak.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.phreak.co.uk-0001/privkey.pem
  Certificate Name: www.phreak.co.uk
    Serial Number: 405367d10b01dbfb1dd4b9b7ce9ffc835c6
    Key Type: ECDSA
    Domains: www.phreak.co.uk mta-sts.phreak.co.uk phreak.co.uk
    Expiry Date: 2024-11-16 18:59:49+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/www.phreak.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.phreak.co.uk/privkey.pem

So what's best to do so that cerbot uses the cert with the correct domains?

$ certbot --version
certbot 3.0.1

Maybe I'm not running the snap? Not sure how I can tell..

You probably are, 3.0.1 is the latest version of Certbot. So it surprises me it would generate that new -0001 lineage Not sure why it did

Do you want to keep using the certificate with the name www.phreak.co.uk, which seems to also include mta-sts.phreak.co.uk and phreak.co.uk?

If so, you should simply be able to run certbot renew, the recommended renewal command. If the certificate named www.phreak.co.uk indeed renews properly and you have not started using the certificate www.phreak.co.uk-0001, you could simply delete the latter.

Yes, looks like it's a snap, dpkg --list | grep certbot returns nothing, but:

$ snap list
certbot              3.0.1               4193   latest/stable  certbot-eff✓  classic

And, yes I need to include mta-sts.phreak.co.uk and phreak.co.uk. So I can just run certbot renew and then:

certbot delete --cert-name www.phreak.co.uk-0001

Is that right?

Yes.

If the old certificate renewed correctly and you're not using this newer one in any way (not likely as you've used certonly earlier), then yes.

Thanks!

The following renewals succeeded:
  /etc/letsencrypt/live/www.phreak.co.uk/fullchain.pem (success)

And in the process I spotted a similar issue with another domain and fixed that too

Very much appreciate your help!

(Now just need to work out why Cloudflare doesn't see it...)

You mean when you connect to your website from the global internet (i.e., not from within your own network)?

Cloudflare, for proxied sites, manages and issues their own certificates from a range of CAs. This could be Let's Encrypt, or in your case, Google Trust Services.

You need to pay Cloudflare lots of money if you wish to install your own certificate on their edge servers, but why would you?

Or, if you mean, why doesn't Cloudflare internally (from Cloudflare to your server) doesn't pick up your renewed certificate: depending on how you issued and installed the certificate the first place (did you also use certonly without an installer?), you simply might need to reload your Apache. Usually, if one did not use an installer (e.g. using --apache), one uses --deploy-hook with the appropriate reload command. You can add one using certbot reconfigure to any existing certificate. See User Guide — Certbot 3.0.1 documentation for more information.

I tried purging the cache at Cloudflare and that seemed to do the trick (unless it was a coincidence).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.