Multiple certificates are not being generated

rhuanpk · June 25, 2023, 7:04am

My domain is:
domain.com, www.domain.com and v1.api.domain.com.

I ran this command:

docker compose run --rm --entrypoint " \ 
        certbot certonly --webroot -w /var/www/certbot \
        --staging \
        --email some@email.com \
        -d domain.com -d www.domain.com -d v1.api.domain.com \
        --rsa-key-size 4096 \
        --agree-tos \
        --force-renewal \
" certbot

It produced this output:

[+] Building 0.0s (0/0)                                                                                                                                                                                                           
[+] Building 0.0s (0/0)                                                                                                                                                                                                           
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for domain.com and 2 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/domain.com/privkey.pem
This certificate expires on 2023-09-23.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

My web server is (include version):
nginx:alpine.

The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS (jammy).

My hosting provider, if applicable, is:
Linode.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.6.0

Hello everyone, in advance I want to apologize if my question is dumb.

So, it turns out that I'm trying to generate the certificate for these three domains, as I showed in the example, however, the certbot container, in the end, just generates:

Certificate is saved at: /etc/letsencrypt/live/domain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/domain.com/privkey.pem

Which refers only to the first domain I informed, inside the /etc/letsencrypt/live directory there is only the domain.com folder.

Is it something I'm doing wrong? The certificate would need to be generated for each domain.

NOTE: I tested it without the --staging flag, but it has the same effect.

rg305 · June 25, 2023, 7:11am

Hi @rhuanpk, and welcome to the LE community forum

Your command is requesting a single cert that contains three names on it.

If you need three separate certs, then separate them [as follows]:

docker compose run --rm --entrypoint " \ 
        certbot certonly --webroot -w /var/www/certbot \
        --email some@email.com \
        -d domain.com \
        --rsa-key-size 4096 \
        --agree-tos \
" certbot

docker compose run --rm --entrypoint " \ 
        certbot certonly --webroot -w /var/www/certbot \
        --email some@email.com \
        -d www.domain.com \
        --rsa-key-size 4096 \
        --agree-tos \
" certbot

docker compose run --rm --entrypoint " \ 
        certbot certonly --webroot -w /var/www/certbot \
        --email some@email.com \
        -d v1.api.domain.com \
        --rsa-key-size 4096 \
        --agree-tos \
" certbot

Also: Don't use --force-renewal

That said, you might need to delete the first cert OR you may endup with a -0001 cert for that same domain name.

rhuanpk · June 25, 2023, 7:16am

Thank you for the welcome!

Wow, your answer was really enlightening! So in the case of the domain www.domain.com which is a CNAME for domain.com, is it really valid so I leave both names for the same certificate?

And the sub domain that I will create to reference the API, do I redo the command passing only its domain (v1.api.domain.com)?

Or do I leave it like that? One certificate for all names? What's the right thing to do?

schoen · June 25, 2023, 7:31am

Every time you run Certbot, it requests a single certificate, covering all (and only) the domain names that you mentioned on the Certbot command line.

A single certificate can cover many names. You can run certbot certificates to check whether your existing certificate already covers all three names.

Osiris · June 25, 2023, 11:36am

I'm not that familiar with Docker, but do you store your issued certificates in PERSISTENT storage?

rhuanpk · June 25, 2023, 7:23pm

No, binding volumes.

Osiris · June 25, 2023, 7:30pm

That kind of volume is also persistent if I read correctly, right? The question behind my question was: if you destroy the container, are the certificates preserved, so they can be re-used when a new container starts? Or is everything thrown away?

Because throwing perfectly fine certificates away is usually a sure thing method of running into rate limits.

rhuanpk · June 25, 2023, 7:56pm

Oh yeah, got it, so... Not really, unless you explicitly outside the container (on the host) or inside the container delete the content, it's never gone.
This is because the folder where the certificate is generated inside the container is binded on the host and in fact if you create any file inside the container and this content is not linked to any volume on the host (whether bind volume or named volume), at the moment that the container dies, all those files will also die.

Osiris · June 25, 2023, 8:09pm

Yeah, that can be an issue if people re-issue a brand new certificate very time the container dies and starts again. We see it here on the Community sometimes unfortunately.

Same goes for the --force-renewal for which Rudy already warned you Often users don't understand what that option actually does and next you know the user has hit a rate limit..

system · July 25, 2023, 8:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.