Mixed up certificates and renewing a deleted domain

My domain is: vm4.convergent-ict.com (this is actually the host server name - it is a virtual server hosting several domains).

I ran this command: certbot certificates

It produced this output:

[Sorry, your system won’t allow me to post this output as “new users can only put 20 links in a post”]

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-141-generic x86_64)

My hosting provider, if applicable, is: (me, on Digital Ocean)

I can login to a root shell on my machine (yes or no, or I don’t know): Yep.

There are two problems I need to fix.

The first and most urgent problem is that the certs for uistholidaylet.com and uistholidaylet.com can’t be renewed because they contain domain test.waterfarmdressage.co.uk which does not exist (has no DNS) and is not referred to anywhere in the apache configuration (it used to exist but is long gone…).

I don’t know how to remove this (and yes, I have searched these forums!).

The second problem is that I’ve only ever used “certbot apache” to set these certs up, and yet domains
uistholidaylet.com, uistholidaylet.co.uk and gun-for-hire.co.uk have many domains under them, domains which I think should have their own certs. See also gun-for-hire.co.uk-0001 (I have no idea how this came about either).

Maybe this is a peculiarity of the way ubuntu uses apache, I don’t know (I’m from a gentoo background really).

Many thanks, Laurie.

Hi @BrownOwl

(there is two times the name uistholidaylet.com ?)

then create a new certificate with the -d option

certbot [your other options] -d uistholidaylet.com

so the certificate doesn’t has the ‘test’ - domain name. Then use that and delete the other certificate (certbot delete certificate-name - first run certbot certificates to see your certificates).

If you run, for example:

sudo certbot --apache -d example.com -d www.example.com -d example.net -d www.example.net

It will create one certificate, and Certbot’s name for it will be example.com.

If you create a new certificate with a superset of those names, Certbot will offer to save it in place of the old one. For example:

sudo certbot --apache -d example.com -d www.example.com -d example.net -d www.example.net -d example.org -d www.example.org

If you create a certificate that partially overlaps – for example, because you want to remove one name – Certbot will save it separately under a different name. For example:

sudo certbot --apache -d example.com -d www.example.com -d example.org -d www.example.org

If the new certificate would have the same name as an older one, Certbot will add a number to the end. In the example, it would use example.com-0001.

You can use the --cert-name argument to have Certbot replace an old certificate with a new one regardless of the names. For example:

sudo certbot --apache --cert-name example.com -d example.org -d www.example.org

You can also use sudo certbot delete --cert-name example.com to just delete it. (If Apache is still configured to try to use certificate files that no longer exist, it won’t start.)

As @JuergenAuer said, you can also use sudo certbot certificates to display a list of all your certificates.

You should be able to sort this out, with a bunch of Certbot commands and maybe editing Apache’s configuration.

You can post it now. :sweat_smile:

1 Like

Sorry, I made a mistake! I meant to say uistholidaylet.com and uistholidaylet.co.co.uk

I’ll post the output of certbot certificates now that I can!

Thanks for sorting out the link posting. Here is the output, which might explain things a bit more clearly.

This is a live server, and I’m very worried about breaking things as it isn’t at all clear how this “muddle” came about, and I don’t want to break clients’ site.

Anyway, here’s the output of certbot certificates

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/uistholidaylet.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/uistholidaylet.co.uk/cert.pem is unknown


Found the following certs:
Certificate Name: uistholidaylet.com
Domains: gun-for-hire.co.uk connaught.org.gg consultants.pepperconsultants.com pepperconsultants.com svn.convergent-ict.com test.pepperconsultants.com test.uu3.com test.waterfarmdressage.co.uk uistholidaylet.co.uk uistholidaylet.com uu3.com vm4.convergent-ict.com waterfarmdressage.co.uk webmail.gun-for-hire.co.uk webmail.uistholidaylet.co.uk webmail.uistholidaylet.com webmail.waterfarmdressage.co.uk www.connaught.org.gg www.gun-for-hire.co.uk www.pepperconsultants.com www.uistholidaylet.co.uk www.uistholidaylet.com www.uu3.com www.waterfarmdressage.co.uk
Expiry Date: 2018-12-23 17:02:18+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/uistholidaylet.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/uistholidaylet.com/privkey.pem
Certificate Name: uistholidaylet.co.uk
Domains: carrollcorp.co.uk connaught.org.gg gun-for-hire.co.uk pepperconsultants.com sfsi.co.uk sfsi.uk svn.convergent-ict.com test.uu3.com test.waterfarmdressage.co.uk uistholidaylet.co.uk uistholidaylet.com uu3.com vm4.convergent-ict.com waterfarmdressage.co.uk webmail.gun-for-hire.co.uk webmail.sfsi.uk webmail.uistholidaylet.co.uk webmail.uistholidaylet.com webmail.waterfarmdressage.co.uk www.carrollcorp.co.uk www.connaught.org.gg www.gun-for-hire.co.uk www.pepperconsultants.com www.sfsi.co.uk www.sfsi.uk www.uistholidaylet.co.uk www.uistholidaylet.com www.uu3.com www.waterfarmdressage.co.uk
Expiry Date: 2019-02-20 11:15:26+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/uistholidaylet.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/uistholidaylet.co.uk/privkey.pem
Certificate Name: gun-for-hire.co.uk
Domains: carrollcorp.co.uk gun-for-hire.co.uk pepperconsultants.com sfsi.co.uk sfsi.uk svn.convergent-ict.com test.uu3.com uistholidaylet.co.uk uistholidaylet.com uu3.com vm4.convergent-ict.com waterfarmdressage.co.uk webmail.gun-for-hire.co.uk webmail.sfsi.uk webmail.waterfarmdressage.co.uk www.carrollcorp.co.uk www.gun-for-hire.co.uk www.pepperconsultants.com www.sfsi.co.uk www.sfsi.uk www.uistholidaylet.co.uk www.uistholidaylet.com www.uu3.com www.waterfarmdressage.co.uk
Expiry Date: 2019-05-21 16:24:14+00:00 (VALID: 71 days)
Certificate Path: /etc/letsencrypt/live/gun-for-hire.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gun-for-hire.co.uk/privkey.pem
Certificate Name: gun-for-hire.co.uk-0001
Domains: gun-for-hire.co.uk www.gun-for-hire.co.uk
Expiry Date: 2019-04-20 23:18:38+00:00 (VALID: 40 days)
Certificate Path: /etc/letsencrypt/live/gun-for-hire.co.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gun-for-hire.co.uk-0001/privkey.pem
Certificate Name: svn.convergent-ict.com
Domains: svn.convergent-ict.com
Expiry Date: 2019-04-25 11:46:59+00:00 (VALID: 45 days)
Certificate Path: /etc/letsencrypt/live/svn.convergent-ict.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/svn.convergent-ict.com/privkey.pem
Certificate Name: test.uu3.com
Domains: test.uu3.com
Expiry Date: 2019-04-24 11:22:07+00:00 (VALID: 44 days)
Certificate Path: /etc/letsencrypt/live/test.uu3.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.uu3.com/privkey.pem
Certificate Name: vm4.convergent-ict.com
Domains: vm4.convergent-ict.com
Expiry Date: 2019-04-24 11:23:26+00:00 (VALID: 44 days)
Certificate Path: /etc/letsencrypt/live/vm4.convergent-ict.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vm4.convergent-ict.com/privkey.pem


From https://certbot.eff.org/docs/using.html

--allow-subset-of-names tells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.