Multiple Certificates for one Domain Cause Extra Emails and Confusion

My domain is: codigomed.com
I ran this command: sudo letsencrypt renew
It produced this output:
Processing /etc/letsencrypt/renewal/app.codigomed.com-0001.conf
Processing /etc/letsencrypt/renewal/app.codigomed.com.br.conf
2017-04-30 00:39:28,029:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/app.codigomed.com.br.conf is broken. Skipping.
Processing /etc/letsencrypt/renewal/app.codigomed.com.conf
2017-04-30 00:39:28,037:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/app.codigomed.com.conf is broken. Skipping.
Processing /etc/letsencrypt/renewal/codigomed.com.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/app.codigomed.com-0001/fullchain.pem (skipped)
  /etc/letsencrypt/live/codigomed.com/fullchain.pem (skipped)
No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/app.codigomed.com.br.conf (parsefail)
  /etc/letsencrypt/renewal/app.codigomed.com.conf (parsefail)
0 renew failure(s), 2 parse failure(s)

My operating system is (include version): Ubuntu 16.04
My web server is (include version): Apache

apache2ctl -S
*:80 codigomed.com (/etc/apache2/sites-enabled/codigomed.com-n.conf:1)
*:443 codigomed.com (/etc/apache2/sites-enabled/codigomed.com.conf:2)

Here is my codigomed.com.conf

ServerAdmin suporte@codigomed.com DocumentRoot /var/www/codigomed.com/public_html
    <Directory /var/www/codigomed.com/public_html/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <IfModule mod_dir.c>
        DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
    </IfModule>

SSLCertificateFile /etc/letsencrypt/live/codigomed.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/codigomed.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName codigomed.com
ServerAlias www.codigomed.com
ServerAlias app.codigomed.com

ServerAlias codigomed.com.br
ServerAlias www.codigomed.com.br
ServerAlias app.codigomed.com.br


I got a email from Expiry Bot saying that the expire date is in 19 days (20 May)
Bot checking from sslshopper, ssllabs and sslchecker says that expires in Jul 22, 2017

What is the real expire date?
I think i duplicated the ssl generation, is it? but how to fix it?
How to remove this ssl config / website duplicates and this mess?

Thanks for all.

hi @rodrigopeixotobr

You current certificates expire July 22

The ones you are getting emails about are probably these

You can review the certificates for your domain here: crt.sh | %codigomed.com

Looking at your history you are creating two certificates for the last 2 runs.

You can view the certificates that certbot manages using the command found here: User Guide — Certbot 2.7.0.dev0 documentation

Specifically

manage:
Various subcommands and flags are available for managing your
certificates:

certificates List certificates managed by Certbot
delete Clean up all files related to a certificate

Andrei

I actually have an issue with one of my certs so had to use this today

certbot certificates

as you can see invalid-certbot-windows.firecube.xyz.conf is incomplete as I wasn't able to get a certificate issued

I would like to remove it and related folders so I am going to use the certbot delete command

Before Running Delete Command:

Running Command

certbot delete

Post Run:

Ignore the error at the bottom. It's to do with symlinks pointing at files that aren't there :frowning:

Another key thing to note: the names are internal certbot names not necessarily the domain names

Andrei

Thanks for the fast reply :slight_smile:
Now i can understand better the mess.

I got the certbot not found message but i used certbot-auto, is the same thing?

Then i run certbot-auto certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/app.codigomed.com.br.conf produced an unexpected error: error parsing /etc/letsencrypt/renewal/app.codigomed.com.br.conf. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/app.codigomed.com.conf produced an unexpected error: error parsing /etc/letsencrypt/renewal/app.codigomed.com.conf. Skipping.

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: app.codigomed.com-0001
    Domains: app.codigomed.com app.codigomed.com.br codigomed.com codigomed.com.br www.codigomed.com
    Expiry Date: 2017-07-22 03:19:00+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/app.codigomed.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/app.codigomed.com-0001/privkey.pem
  Certificate Name: codigomed.com
    Domains: app.codigomed.com app.codigomed.com.br codigomed.com codigomed.com.br www.codigomed.com www.codigomed.com.br
    Expiry Date: 2017-07-22 03:19:00+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/codigomed.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/codigomed.com/privkey.pem

The following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/app.codigomed.com.br.conf
  /etc/letsencrypt/renewal/app.codigomed.com.conf

And then: certbot-auto delete

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which certificate would you like to delete?

1: app.codigomed.com-0001
2: app.codigomed.com.br
3: app.codigomed.com
4: codigomed.com

Please, just to confirm and dont let me delete the wrong one.
I need to delete numbers 1, 2 and 3 ?
And what did you did at “Before Running Delete Command:” print ?

Thanks again!

certbot and certbot-auto are essentially the same

Certificate Name: app.codigomed.com-0001
Certificate Name: codigomed.com

These are the certs in the CRT.SH logs

Looking at your production server you have 6 SAN names which is your codigomed.com cert

BEFORE DELETING - i would suggest you verify this assumption in the webserver

Also as I am not aware of your setup if you have multiple servers you should review their configurations as well

Andrei

1 Like

Also please note that deleting a certificate from your own system will not stop Let’s Encrypt from sending you e-mail when it’s going to expire. (If you got several slightly different certificates, with different combinations of names, Let’s Encrypt does not consider the new certificates to be a “renewal” for the old certificates, because we don’t know exactly how you are using your certificates, for example whether they are being used on totally different servers or whether one was meant as a replacement for another.) However, after the old certificates have expired, you will stop getting reminder e-mails about them.

1 Like

Thanks for the reply.
So i can just ignore the reminders and dont do anything?
I let the old expire and dont run any risk from deleting the wrong one. Right?

Yes, that’s right. You can just let the old cert expire.

It may be a good idea to delete the old cert from your system because certbot renew does not know that it should stop attempting to renew the old one, so you’ll end up renewing both certificates each time if you don’t delete it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.