Without using "--cert-name" certbot will create a new cert name.
[based on the name(s) in the new cert]
But when that new name conflicts with an already existing cert name, certbot will add an incrementing suffix - starting with "-0001".
Again:
that is odd as server was restarted and config does have
sudo cat /etc/nginx/sites-available/concept.staging.smart48.com
[sudo] password for ploi:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/concept.staging.smart48.com/before/*;
server {
# listen 80;
# listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /home/ploi/staging.smart48.com/current/public;
server_name .concept.staging.smart48.com;
# include /etc/nginx/ssl/concept.staging.smart48.com;
ssl_certificate /etc/letsencrypt/live/concept.staging.smart48.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/concept.staging.smart48.com-0001/privkey.pem;
...
Did wonder why the -0001 was added here, but I guess to not overwrite existing LE SSL for concept wildcard sites.
/etc/letsencrypt/live# ll
total 24
drwx------ 5 root root 4096 Nov 8 06:12 ./
drwxr-xr-x 7 root root 4096 Nov 8 06:12 ../
drwxr-xr-x 2 root root 4096 Sep 27 10:01 concept.staging.smart48.com/
drwxr-xr-x 2 root root 4096 Nov 8 06:12 concept.staging.smart48.com-0001/
-rw-r--r-- 1 root root 740 Mar 26 2023 README
drwxr-xr-x 2 root root 4096 Nov 8 05:20 staging.smart48.com/
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: concept.staging.smart48.com-0001
Serial Number: 3efef45c376cccbb9c31f1d90d76aea3846
Key Type: ECDSA
Domains: concept.staging.smart48.com staging.smart48.com
Expiry Date: 2024-02-06 04:12:48+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/concept.staging.smart48.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/concept.staging.smart48.com-0001/privkey.pem
Certificate Name: concept.staging.smart48.com
Serial Number: 46e123199d9213acdf24b0b4c9fbfb37a12
Key Type: ECDSA
Domains: *.concept.staging.smart48.com
Expiry Date: 2023-12-26 07:01:53+00:00 (VALID: 48 days)
Certificate Path: /etc/letsencrypt/live/concept.staging.smart48.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/concept.staging.smart48.com/privkey.pem
Certificate Name: staging.smart48.com
Serial Number: 3bd352ec9032237eabc2c0ee316d0a0f247
Key Type: ECDSA
Domains: *.staging.smart48.com
Expiry Date: 2024-02-06 03:20:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/staging.smart48.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.smart48.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[abbreviated]
Here are the names being covered and the certs that are covering them:
Certificate Name: concept.staging.smart48.com-0001
Domains: concept.staging.smart48.com staging.smart48.com
Certificate Name: concept.staging.smart48.com
Domains: *.concept.staging.smart48.com
Certificate Name: staging.smart48.com
Domains: *.staging.smart48.com
Now serve them up [correctly] via nginx.
OR
If that is not possible, get new cert(s) and delete any unused certs.
And then serve what remains via nginx.
So, [currently] for:
You will need to use this cert:
So are you saying I should load concept.staging.smart48.com-0001 for both concept.staging and staging Nginx configuration files as that certificate should cover both subdomains and wildcard certificates?
Staging now still loads:
sudo cat /etc/nginx/sites-available/staging.smart48.com
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/staging.smart48.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .staging.smart48.com;
root /home/ploi/staging.smart48.com/current/public;
# ssl_certificate /etc/nginx/ssl/certificates/staging.smart48.com.crt;
ssl_certificate /etc/letsencrypt/live/staging.smart48.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.smart48.com/privkey.pem;
# ssl_certificate_key /etc/nginx/ssl/certificates/staging.smart48.com.key;
...
so guess I should update that?
Yes, it does now that I use
ssl_certificate /etc/letsencrypt/live/concept.staging.smart48.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/concept.staging.smart48.com-0001/privkey.pem;
for staging nginx config as well. Do think I need to clean up some of the certificates , but want to make sure I do not screw up again. Also will need to test some subdomains. Thanks a lot @rg305 and @MikeMcQ !
Not exactly.
That cert does cover two names - but none of the wildcard entries for them.
Just the two base names:
While the other two certs only cover one wildcard entry each - with no base names.
Hmm, yeah, https://t3st.concept.staging.smart48.com does not work this way. So I guess I have zero wildcard options this way as you said. Perhaps I need to delete all in
ll
total 24
drwx------ 5 root root 4096 Nov 8 06:12 ./
drwxr-xr-x 7 root root 4096 Nov 8 07:02 ../
drwxr-xr-x 2 root root 4096 Sep 27 10:01 concept.staging.smart48.com/
drwxr-xr-x 2 root root 4096 Nov 8 06:12 concept.staging.smart48.com-0001/
-rw-r--r-- 1 root root 740 Mar 26 2023 README
drwxr-xr-x 2 root root 4096 Nov 8 05:20 staging.smart48.com/
and do one for both sites and wildcards. Or one wildcard for concepts and staging as I had working before. How do I do that?
You mentioned several things - which one exactly?
In general, you get cert(s) BEFORE you delete any cert(s).
Should I then do
sudo certbot certonly --manual --email user@site.com --preferred-challenges dns --server http
s://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d *.concept,staging.smart48.com -d
and
sudo certbot certonly --manual --email user@site.com --preferred-challenges dns --server http
s://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d *.staging.smart48.com -d staging.smart48.com
update configs for concepts an staging, reload Nginx, and then remove older ones?
sudo certbot certonly \
--manual \
--email user@site.com \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok \
-d *.concept,staging.smart48.com \
-d
Something is missing at the end.
sudo certbot certonly \
--manual \
--email user@site.com \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok \
-d *.staging.smart48.com \
-d staging.smart48.com
This is is better.
But you still haven't learned how to use:
Without using "--cert-name", certbot will be forced to create a new name for this new set of names covered by each new cert.
Again "-0002" ...
No I have not learned how to use certname. You mentioned :
Without using "
--cert-name" certbot will create a new cert name.
[based on the name(s) in the new cert]
But when that new name conflicts with an already existing cert name,certbotwill add an incrementing suffix - starting with "-0001".
So sounds like I should add --certname-name to overwrite existing ones. So I do not get odd numbers at the end.
If you are the only nginx admin, you might as well get one cert will all four names on it:
-d *.concept.staging.smart48.com \
-d concept.staging.smart48.com \
-d *.staging.smart48.com \
-d staging.smart48.com
sudo certbot certonly \
--manual \
--cert-name staging-certs \
--email user@site.com \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok \
sudo certbot certonly \
--manual \
--email user@site.com \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok \
-d *.concept.staging.smart48.com \
-d concept,staging.smart48.com \
-d *.staging.smart48.com \
-d staging.smart48.com
but what should I add for cert name ? staging ?
^^ the comma is a TYPO ^^
^^ requires a name [and a dash]
Like:
--cert-name staging.smart48.com
OR
--cert-name staging-cert
OR
--cert-name something-else
[any unique string will work - it's just a LABEL]
^^ TYPO remains ^^