Multiple old .conf files in /renewal


#1

Using letsencrypt and certbot for some time without any issues until I migrated a domain away.

I just noticed I was still requesting renewal (on original server) for a domain that is now on a different server - with it’s own new cert.

Due to this I was seeing ratelimiting due to failures on the original server.

Looking at the /etc/certbot/renewal dir I’m seeing multiple (old?) .conf files:

exampledomain.com.conf
exampledomain.com-0001.conf
exampledomain.com-0002.conf
exampledomain.com-0003.conf
… this goes to 0007.conf

I’m assuming that autorenew is parsing all of these and seeing the stale domain in all but the last one an seeing the same failure multiple times? (checking .conf files I see the 0007 one doesn’t include the stale domain).

Am I safe to remove the older .conf files from here manually? Then I can wait for the ratelimit to reset and renew?

Anything else I should do here? (asides from possibly filing a big request for the panel I use?)

Thanks


#2

Can you post the output of “sudo certbot certificates” (or whatever your Certbot command is) and “sudo ls -alR /etc/certbot/{archive,live,renewal}” (without redacting your domain)?

You should keep all of Certbot’s data consistent. If you delete a renewal configuration file, you should also delete the corresponding archive and live subdirectories. You can use Certbot’s delete command to do that, but I wouldn’t want recommend deleting anything in particular without a better idea of what’s going on.


#3

I know it would help if I posted the domains publicly, but… I guess I’m paranoid, which in security is sometimes a good thing, having them show in search results at a later date isn’t something I’m comfortable with. I can PM?

Basically it’s one certificate, but covers multiple domains on the server. One of the domains is now hosted elsewhere but I still see it in the (older) 000x.conf files. Certificates are valid currently but noticed the failures while auditing logs. Since it’s seeing the old domain in multiple .conf files, it’s triggering the 5 failures in one hour and initiating ratelimiting.

Should there have been mutiple samedomain-[000x] conf files or has my panel created them whenever there has been a change?

I’ve now removed the stale -000[0-6].conf files and the directories from within renewal, live and archive. I have however currently still got the very oldest .conf file as well as the newest.

Would the certbot delete the certificate itself or can it be used to remove the one single domain from the certificate while leaving the remaining domains?

I’ve tested with dryrun and other than while parsing the original .conf file created the rest go through okay, but am wary of issuing a renew command just in case!


#4

Having the same problem…
Processing /etc/letsencrypt/renewal/.com-0001.conf
Processing /etc/letsencrypt/renewal/.com-0002.conf

Processing /etc/letsencrypt/renewal/.com-0036.conf
Processing /etc/letsencrypt/renewal/.com-0037.conf
Processing /etc/letsencrypt/renewal/.com.conf

certbot renew … takes forever. I would like to delete all but the active .conf files.

I have multiple domains on Virtualmin (culprit me thinks), I have multiple confs for almost all domains…

I am setting all domains on Virtualmin to manual renew and making a cron job to handle them.

But I would really like to clean up this mess.

Thanks in advance for any insight on cleaning up this mess.


#5

Hi @sharprez

there are two commands. Check your website, which certificate is used. Then use

certbot certificates

to find this active certificate. Then use

certbot delete [certificate-name]

to remove all certificates with this domain name, which aren’t used.

Check

certbot delete --cert-name example.com