Multiple domains incorrectly issuing to one domain. How to fix?

Hi all - please bear with me, I cannot reveal domains for confidentiality reasons so am using fake names in the configs below.
Webserver: Apache/2.4.7 (Ubuntu)
certbot-auto: 0.22.0

I am having a config issue with Let’s Encrypt where multiple domains are being inadvertently linked to other non-related domains. It appears my config is issuing multiple domains to one domain. Evidence discovered through Certificate Transparency suggests that site1.com through to site7.com’s certificates were issued to site2.com, yet site2.com’s certificate does not show any of those sites in its Name or Alternative Names. The common thread is that I am hosting all these domains and using Let’s Encrypt for all of them.

I discovered this issue via Certificate Transparency searches but it is easiest illustrated via Let’s Encrypt renewal emails from cron:

The good (site1.com):

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/site1.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for site1.com
tls-sni-01 challenge for www.site1.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/site1.com/fullchain.pem
-------------------------------------------------------------------------------

The bad (site2.com):

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/site2.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.site3.com
tls-sni-01 challenge for site4.com
tls-sni-01 challenge for site5.com
tls-sni-01 challenge for site6.com
tls-sni-01 challenge for site7.com
tls-sni-01 challenge for site1.com
tls-sni-01 challenge for site2.com
tls-sni-01 challenge for site3.com
tls-sni-01 challenge for www.site1.com
tls-sni-01 challenge for www.site2.com
tls-sni-01 challenge for www.site4.com
tls-sni-01 challenge for www.site5.com
tls-sni-01 challenge for www.site6.com
tls-sni-01 challenge for www.site7.com

Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/site2.com/fullchain.pem
-------------------------------------------------------------------------------

I have checked site2.com’s certificate and it does not have these other sites as a Subject Alternative Name, it merely has “site2.com” and “www.site2.com”.

Site2.com’s /etc/letsencrypt/renewal/site2.com.conf file:

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/site2.com/cert.pem
privkey = /etc/letsencrypt/live/site2.com/privkey.pem
chain = /etc/letsencrypt/live/site2.com/chain.pem
fullchain = /etc/letsencrypt/live/site2.com/fullchain.pem
version = 0.20.0
archive_dir = /etc/letsencrypt/archive/site2.com

# Options and defaults used in the renewal process
[renewalparams]
installer = apache
authenticator = apache
account = _(redacted)_
apache_ctl = apache2ctl

Can anyone point me in the right direction here?

Thanks in advance,
Ent.

What exact command have you been running to add new domains?

Normally if you want to get a certificate for only a particular domain or set of domains, you should provide only those domains to the certbot-auto command, and run a second certbot-auto command for the next certificate.

You can run certbot-auto certificates to get an overview of the certificates you currently have on your server. Once you’ve obtained the certificates you want with the names you want on them, you can delete any unwanted leftover certificates with certbot-auto delete --cert-name example.com (where example.com is the “Certificate name” from certbot-auto certificates). Make sure you’ve removed them from your Apache configuration first though.

Hi John, thanks for jumping in.

Embarrassingly, I can’t tell you what I used to add/issue new certs originally. It was over a year ago and I tend to look these things up when I need them. Is there a “wrong way” that might yield my results?

Running certbot-auto certificates gives me the same results we knew - the “bad” domain covers multiple domains it should not, yet this is not reflected in the certificate details as reported by the web browser.

I’m guessing the way forward is to delete the problem certificate with the command you provide above, then request a new one? I’d like to understand how this might have arisen though so I don’t make another blunder, esp given I can’t remember the command I used to issue.

I am currently using certbot-auto renew to renew certs. I’m running about 15 domains and enjoy the automatic nature of Let’s Encrypt. Do you see any issue with renewing in bulk, rather than issuing individual commands?

Thanks,
Ent

Issuing new certs for multiple domains in a single command would cause all the domains to be grouped into a single certificate.

In that case you probably have at least two certs for that domain, and apache is using the correct one (but certbot doesn't know this and is still renewing both).

The way forward that I'd recommend is to first request any new/replacement certs you need and configure apache to use them, then delete the unwanted cert.

Nope, that's fine and recommended. Renewing with certbot-auto renew will just renew whatever certificates you have that are close to expiry, and won't change the domains on them unless you explicitly request it to do so. It's only when issuing entirely new certs that you need to use a separate command for each cert.

Thanks for that. With the above information, I was able to resolve the issue.

Firstly, there did appear to be two separate configs for certificates with the same domain name, one under the usual name and one with .0001 after the file name. I did not realise both were in use by Let’s Encrypt. Apache was using the standard name which had only the domain’s certificates, while 0001 was unused and somehow had every domain on the server. When the renewals were occurring, this “broken” config was requesting certs for every domain on the server even though it was unused.

I had a few issues deleting and renewing - in the end I had to delete the HTTPS apache2 server config, leaving the HTTP server intact. Only then could I request a new cert. If I commented out the certificate paths and the HTTPS engine, apache2 would error on reloading. Only after the HTTPS config was deleted could I reload, delete the cert, manually delete the “broken” cert (good ol rm - it wasn’t reported or deleted by certbot-auto), then request a new cert. If I disabled the Apachie domain outright, it would not show up in certbot-auto to renew.

All ended well. Thankyou for your input John, I salute you sir
Ent.