Multiple certificates

rsuinux · May 31, 2021, 1:26pm

Hello,
I have a certificate with several subdomains, but I just noticed that I have three conf files:

I ran this command:

/usr/bin/cerbot certificates
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/suinot.org-0002.conf with version 0.31.0 of Certbot. This might not work.
Attempting to parse the version 1.3.0 renewal configuration file found at /etc/letsencrypt/renewal/suinot.org.conf with version 0.31.0 of Certbot. This might not work.
Certificate Name: suinot.org-0001
    Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org   webssh.suinot.org www.suinot.org
    Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 37 days) ... and more details

Certificate Name: suinot.org-0002
    Domains: suinot.org imap.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
    Expiry Date: 2021-07-30 21:04:14+00:00 (VALID: 60 days)  ... and more details                                                                                                                                                        

Certificate Name: suinot.org
    Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
    Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 37 days)

My web server is nginx (v 1.14.2 on debian stable) and work fine with the suinot.org-0002 certificate, but there is no subdomain lil-elefen.suinot.org.

The version of certbot is 0.31.0 (debian package)

I think of a bad handling on my part.
Can I remove the suinot.org-0002 configuration and reuse suinot.org-0001 and then add another subdomain?

Likewise, is the first suinot.org certificate necessary?

Thanks for your help.
Rémi.

Osiris · May 31, 2021, 6:46pm

A few things I notice:

Which subdomain do you wish to add? Because as far as I can tell, the certificates with names suinot.org and suinot.org-0001 are identical and already contain the subdomain lil-elefen.suinot.org missing from the 0002-cert.
Before deleting a certificate, make sure your nginx configuration is updated to not use a certificate you're about to delete, but one of the certificates you won't delete. Otherwise your nginx won't restart or reload, as it wouldn't be able to find a certificate to use.
As suinot.org and suinot.org-0001 are identical, you can remove one of those indeed. I'd get rid of the version with that unnecessary -0001 part.
If you wish to update your certificate with new subdomains, you could use the --cert-name flag "overwrite" an existing certificate, so you won't end up with those -0001, -0002 or perhaps even a -0003 version.
It seems once upon a time you've had version 1.9.0 of certbot installed, but somehow downgraded to a very old version, 0.31.0. There's a good chance more recent versions than 0.31.0 have better handeling and identification of certificate expansion which wouldn't lead that easy to those duplicate certificates like you have now. If you can upgrade, I'd recommend it.

rsuinux · June 1, 2021, 12:07pm

@Osiris thank you for your reply

I would like to add the nicolas.suinot.org subdomain (I wonder if each time I added a subdomain, it didn't add an additional -0001 then -0002 file)

Yes, of course, otherwise, nginx will not understand anything

ok, I agree. Remainder of -0002

Version 0.31.0 is the official release of Debian Stable. But my first certificates were made with the version from the official site (ahead of the version compared to Debian). Since then, I have been using / usr / bin / certbot from the Debian package. Not good...

Thank you for your explanations.
How do I remove unnecessary -0001?

Rémi.

rsuinux · June 1, 2021, 2:23pm

In Debian testing, the certbot is version 1.12.0.
So I will do in order:
delete the -0002

certbot --cert-name suinot.org-0002 revoke
certbot --cert-name suinot.org-0002 delete

then install the testing version of certbot.
What do you think?

Osiris · June 1, 2021, 4:09pm

Revoking isn't necessary if the private key hasn't been compromised.

Using that delete command, you should get rid of the 0002 cert indeed.

And use --cert-name too if you wish to expand your current cert to prevent those pesky numbered duplicate certs in the future

Same as how you're about to delete the 0002 cert

rsuinux · June 2, 2021, 8:02am

I deleted from -0002 with

certbot --cert-name suinot.org-0002 delete

Now I have this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: suinot.org-0001
      Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
      Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 35 days)
      Certificate Path: /etc/letsencrypt/live/suinot.org-0001/fullchain.pem
      Private Key Path: /etc/letsencrypt/live/suinot.org-0001/privkey.pem
  Certificate Name: suinot.org
      Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
      Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 35 days)
      Certificate Path: /etc/letsencrypt/live/suinot.org-0001/fullchain.pem
      Private Key Path: /etc/letsencrypt/live/suinot.org-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The path of the certificate and the private key are the same for suinot.org and suinot.org-0001!
How remove -0001 whithout remove path for certificat and key path for suinot.org?

And now for all of my certificate operations I'll use --cert-name

Osiris · June 2, 2021, 8:31am

That's very strange! Usually this is the result of manual tampering with the symbolic links in /etc/letsencrypt/live/. Does that sound familiair?

I think you probably should fix the symbolic links in /etc/letsencrypt/live/suinot.org/ first. Now, they probably refer to the ../../archive/suinot.org-0001/ which is obiously wrong. They should point to the files in ../../archive/suinot.org/.

If you've fixed the symlinks (and verified with certbot certificates), you can delete the suinot.org-0001 cert.

rsuinux · June 2, 2021, 10:56am

You might be right, but for some reason I don't have a symbolic link! Here is what I have:

/etc/letsencrypt/archive
$ ls -l
total 8
drwxr-xr-x 2 remi remi 4096 févr. 15  2018 suinot.org
drwxr-xr-x 2 root root 4096 avril  8 14:46 suinot.org-0001

master 11:42:12 root /etc/letsencrypt/live
$ ls -l
total 12
-rw-r--r-- 1 root root  740 mars   2 18:05 README
drwxr-xr-x 2 root root 4096 févr. 11  2018 suinot.org
drwxr-xr-x 2 root root 4096 avril  8 14:46 suinot.org-0001

It seems vital to me to put everything back in order before continuing.

Osiris · June 2, 2021, 3:34pm

Sorry, I probably had to be more clear: the symlinks are in the directories which themselves are in the /live/ directory and the same goes for the actual files in /archive/: you can find them in the directories in the /archive/ directory. I.e.:

ls -l /etc/letsencrypt/live/suinot.org/
ls -l /etc/letsencrypt/live/suinot.org-0001/

rsuinux · June 2, 2021, 5:08pm

@Osiris
Sorry, it's might be me
Here is the repertoires, and indeed, both point to the same sources.

$ ls -l suinot.org
total 4
lrwxrwxrwx 1 root root  34 févr. 11  2018 cert.pem -> ../../archive/suinot.org/cert1.pem
lrwxrwxrwx 1 root root  35 févr. 11  2018 chain.pem -> ../../archive/suinot.org/chain1.pem
lrwxrwxrwx 1 root root  39 févr. 11  2018 fullchain.pem -> ../../archive/suinot.org/fullchain1.pem
lrwxrwxrwx 1 root root  37 févr. 11  2018 privkey.pem -> ../../archive/suinot.org/privkey1.pem
-rw-r--r-- 1 root root 543 févr. 11  2018 README
$ ls -l suinot.org-0001/
total 4
lrwxrwxrwx 1 root root  40 avril  8 14:46 cert.pem -> ../../archive/suinot.org-0001/cert21.pem
lrwxrwxrwx 1 root root  41 avril  8 14:46 chain.pem -> ../../archive/suinot.org-0001/chain21.pem
lrwxrwxrwx 1 root root  45 avril  8 14:46 fullchain.pem -> ../../archive/suinot.org-0001/fullchain21.pem
lrwxrwxrwx 1 root root  43 avril  8 14:46 privkey.pem -> ../../archive/suinot.org-0001/privkey21.pem
-rw-r--r-- 1 root root 543 févr. 27  2018 README

I delete one of the directories? (suinot.org-0001)

Osiris · June 2, 2021, 5:37pm

Yes, you can.

@griffin pointed out to me that the symbolic links are already pointing at the correct archive directory. Missed that!

The problem is probably in the contents of the renewal configuration file. Please show us the contents of /etc/letsencrypt/renewal/suinot.org.conf

rsuinux · June 3, 2021, 8:51am

Here are the two conf files: suinot.org.conf and suinot.org-0001.conf
(I have deleted the account number. Just for the sake of safety. Tell me if I'm paranoid ...)

# cat renewal/suinot.org-0001.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/suinot.org-0001  
cert = /etc/letsencrypt/live/suinot.org-0001/cert.pem
privkey = /etc/letsencrypt/live/suinot.org-0001/privkey.pem
chain = /etc/letsencrypt/live/suinot.org-0001/chain.pem 
fullchain = /etc/letsencrypt/live/suinot.org-0001/fullchain.pem  

# Options used in the renewal process 
[renewalparams]  
installer = nginx
authenticator = nginx  
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
server = https://acme-v02.api.letsencrypt.org/directory 
nginx_ctl = /usr/sbin/nginx  
master 10:41:48 root /etc/letsencrypt

# cat renewal/suinot.org.conf
# renew_before_expiry = 30 days 
version = 1.3.0  
archive_dir = /etc/letsencrypt/archive/suinot.org-0001  
cert = /etc/letsencrypt/live/suinot.org-0001/cert.pem
privkey = /etc/letsencrypt/live/suinot.org-0001/privkey.pem
chain = /etc/letsencrypt/live/suinot.org-0001/chain.pem 
fullchain = /etc/letsencrypt/live/suinot.org-0001/fullchain.pem  

# Options used in the renewal process 
[renewalparams]  
authenticator = nginx  
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
server = https://acme-v02.api.letsencrypt.org/directory 
webroot-path=/home/www/

Osiris · June 3, 2021, 4:57pm

You should remove the -0001 parts on those 5 lines from the renewal/suinot.org.conf file: those are not supposed to be there.

Don't delete the entire -0001 cert itself yet by the way, first I want to see if the cert is OK after the renewal config file is fixed. (Please run certbot certificates again for that.)

rsuinux · June 4, 2021, 2:33pm

Result:
I started deleting the 5 lines of configurations:
The file was therefore like

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/suinot.org-0001  
cert = /etc/letsencrypt/live/suinot.org-0001/cert.pem
privkey = /etc/letsencrypt/live/suinot.org-0001/privkey.pem
chain = /etc/letsencrypt/live/suinot.org-0001/chain.pem 
fullchain = /etc/letsencrypt/live/suinot.org-0001/fullchain.pem  


# Options used in the renewal process 
[renewalparams] 

I launched Certbot Certificates, to see the result first:

An unexpected error occurred:
KeyError: 'renewalparams'
Please see the logfiles in /var/log/letsencrypt for more details.

It's logical, the configuration part is no longer there (I had made a backup before)
Then I deleted the 5 previous lines but I gave the configuration part, and revived Certbot Certificates

# certbot certificates
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/suinot.org-0001.conf produced an unexpected error:
 renewal config file {'renewalparams': {'installer': 'nginx', 'authenticator': 'nginx', 'account':     'xxxxxxxxxxxxxxxxxxxx', 'server': 'https://acme-v02.api.letsencrypt.org/directory', 'nginx_ctl': '/usr/sbin/nginx'}} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: suinot.org
    Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
  Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 32 days)
    Certificate Path: /etc/letsencrypt/live/suinot.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/suinot.org-0001/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/suinot.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A priori, I can delete, since the second time, everything went well when he saw that Suinot.org-conf was well?

Osiris · June 4, 2021, 4:38pm

Sorry, perhaps I needed to be more clear. I didn't mean to delete entire lines but just the characters -0001 from those 5 lines mentioning those 5 characters. Not the entire line.

rsuinux · June 6, 2021, 1:10pm

Hello;
Don't apologize, my English is not perfect, I may have been misinterpreted
Here is the result:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/suinot.org
cert = /etc/letsencrypt/live/suinot.org/cert.pem
privkey = /etc/letsencrypt/live/suinot.org/privkey.pem
chain = /etc/letsencrypt/live/suinot.org/chain.pem
fullchain = /etc/letsencrypt/live/suinot.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
installer = nginx
authenticator = nginx
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
server = https://acme-v02.api.letsencrypt.org/directory
nginx_ctl = /usr/sbin/nginx

And certbot certificates:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: suinot.org-0001
    Domains: suinot.org imap.suinot.org webssh.suinot.org www.suinot.org
    Expiry Date: 2018-05-09 18:39:46+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/suinot.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/suinot.org/privkey.pem
  Certificate Name: suinot.org
    Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
    Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/suinot.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/suinot.org-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No error for the conf file, but the suinot.org-0001 is marked expired!
What do you think ?

Osiris · June 6, 2021, 1:36pm

I think you removed the -0001 from the wrong configuration file, as the "Certificate Name" and paths are now reversed! The certificate with the name without the -0001 has paths with the -0001 and the cert name with the -0001 has paths without it.

Also, why the /live/suinot.org/ cert is expired? Probably because earlier certbot didn't even know it existed any longer when the paths in the renewal configuration file for the cert with name "suinot.org" were suddenly paths to the -0001 live directory. So it was never renewed!

So to make clear: the actual certificate in /etc/letsencrypt/live/suinot.org-0001/ is the good certificate, but is now referenced in the certificate renewal file for the suinot.org certificate name.

Earlier we told ourselves you could remove the -0001 cert, but you shouldn't do that now, as we now know the certificate at /etc/letsencrypt/live/suinot.org/ is old, wrong hostnames and expired.

My suggestion:

Fix your two renewal configuration files, so the paths are in line with the certificate name (i.e.: reverse the -0001 between the two files
delete the expired certificate: check with certbot certificates and delete the one which says expired.
Get back with us afterwards.

rsuinux · June 7, 2021, 8:57am

I looked a little better, and corrected my mistakes.

I corrected the correct file. Indeed, it has expired. So I deleted suinot.org-conf

# certbot --cert-name suinot.org delete                                                                                                                                                                             
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Deleted all files relating to certificate suinot.org.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Now I only have one certificate, and no more errors

# certbot  certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: suinot.org-0001
    Domains: suinot.org imap.suinot.org lil-elefen.suinot.org mastodon.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
    Expiry Date: 2021-07-07 11:46:48+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/suinot.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/suinot.org-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thank you really for your help, and your patience

system · July 7, 2021, 8:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.