Old and duplicate domains in renewal folder

  1. When I run ‘cerbot renew’ I get errors related to domains which are no longer active and have been removed from the web server. I see conf files in the renewal folder for these old domains – can I just delete them?

  2. For one domain that is active, I see this:
    -rw-r–r-- 1 root root 574 Aug 20 00:02 corelosangeles.com-0001.conf
    -rw-r–r-- 1 root root 574 Aug 28 12:06 corelosangeles.com-0002.conf
    -rw-r–r-- 1 root root 574 Aug 28 12:07 corelosangeles.com-0003.conf
    -rw-r–r-- 1 root root 574 Aug 28 12:06 corelosangeles.com-0004.conf
    -rw-r–r-- 1 root root 574 Jul 11 00:03 corelosangeles.com-0005.conf
    -rw-r–r-- 1 root root 574 Jul 11 00:04 corelosangeles.com-0006.conf
    -rw-r–r-- 1 root root 574 Jul 11 00:03 corelosangeles.com-0007.conf
    -rw-r–r-- 1 root root 574 Dec 14 20:24 corelosangeles.com-0008.conf
    -rw-r–r-- 1 root root 549 Aug 9 00:02 corelosangeles.com.conf

This feels wrong and I am seeing rate limit errors related to 0006. How best to clean this up?

1 Like

Please show the errors.

Those should be “historical” and do NOT get deleted automatically
[and should not cause a problem]
But it is hard to tell exactly where those files are located (from your output) so MAYBE there is a problem…

Please show the exact error message(s).
Thanks.

What does certbot certificates say?

The following certs could not be renewed:
/etc/letsencrypt/live/corelosangeles.com-0002/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com-0007/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com-0004/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com-0003/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com-0005/fullchain.pem (failure)
/etc/letsencrypt/live/corelosangeles.com-0006/fullchain.pem (failure)

This domain is deleted:
The following certs could not be renewed:
/etc/letsencrypt/live/dev.translingua.techaround.com/fullchain.pem (failure)

OK so there is a definite problem.
Please show output of:
certbot certificates

[that should tell us plenty]

is there a way around this?

Sorry, new users can only put 20 links in a post.

Just show the first 20 (or less)?
We should see a pattern from that.
OR
show screenshots?
OR
just show the ones that are expired or known not in use
OR
post in paste-bin/dropbox/1drive/Gdrive type system
OR
save to TXT file and move it to your website and post link here
OR
try encapsulating the whole mess with preceding and postceding (not-a-word) them with:
```

1 Like

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0002/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0007/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0004/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0003/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0001/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0005/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/corelosangeles.com-0006/cert.pem is unknown

1 Like

Certificate Name: corelosangeles.com
Domains: corelosangeles.com bradtest.techaround.com braincorp.techaround.com cbm-ico.techaround.com core.techaround.com dev.techaround.com dev.translingua.techaround.com ebvwp.techaround.com fmtdev.techaround.com fmtdev2.techaround.com kcdpr.techaround.com new.techaround.com oneillinois.techaround.com proteinpowderreview.com proteinpowderreview.techaround.com quinto-ico.techaround.com www.corelosangeles.com www.proteinpowderreview.com www.techaround.com
Expiry Date: 2019-11-06 23:02:08+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/corelosangeles.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/corelosangeles.com/privkey.pem

1 Like

Ok, that I can work with…
I would start by deleting all the unused certs:
[probably simplest with:]
certbot delete --cert-name corelosangeles.com

as seen in:

1 Like

After you clear out all the unused, rerun
certbot certificates

1 Like

You should be able to delete all the certs containing:

Unless one is still active…?

1 Like

I ran it – it looks clean now – also ran certbot renew and there were zero errors – thanks a ton.

2 Likes

Make sure all your sites are using the remaining certs and none of the ones you deleted.
[grep is your friend here]

grep -ri /etc/letsencrypt/live/ /etc/apache2/

Compare that output with the output of certbot certificates.
All of them should be included in both.
If not, Houston we (will) have a problem.
[as soon as your webserver restarts - trying to use deleted files]

1 Like

So I do see some problems:

50-brad-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/corelosangeles.com-0007/privkey.pem

0007 is gone – it should be using 0008 – best way to fix this?

1 Like

Replace that with the corresponding active file found in
certbot certificates

Look through file:

for any use of
ServerName or ServerAlias
to better understand which names are required in that cert.
Match that to the names found in the certs - and your covered.

1 Like

so just update the conf files by hand? That works.

2 Likes

Yeah that part will be via manual edit.
Please mark the topic as solved when your done/satisfied.
–cheers from Miami :beers:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.