Prevent -0001 -xxxx Certificate Suffixes


#1

Hi All,

I migrated my web server to another server, and ever since, some SSL certificates are being stored in folders such as “/etc/letsencrypt/live/mydomain.com-0001/”

This is messing up the way my hosting control panel works because it expects the certificates to always be in “/etc/letsencrypt/live/mydomain.com”. So, is there a way I can force certbot to reuse these folders if they exist when attempting to get a certificate? My guess is that since the new server had to obtain all the domain certificates again, that was over Let’s Encrypt’s limit, so blank config files were created in /etc/letsencrypt/renewal/mydomain.com.conf.

When I run certbot it claims the following:

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/mydomain.com.conf.

This config file is blank, so I’m not sure why it’s there, why it even exists, and why it’s invalid since it’s empty.

The certificates are requested by the control panel software using this command:

/usr/local/bin/certbot certonly --webroot --agree-tos --email {MYEMAIL} -d {DOMAIN1} -d {DOMAIN2} -d {DOMAIN3} -w /phyiscalpath

Is there a flag to get certbot to not create -0001 or -0002 directories and always use the domain as the folder name instead of adding suffixes?

I can change what the control panel uses for Let’s Encrypt, so hopefully there’s a way to do this…


#2

Use --cert-name mydomain.com and Certbot will overwrite the existing entry instead of creating a new one.


#3

Hopefully the order of the parameters doesn’t matter. :grin: Thanks!


#4

Without --cert-name, the new item is created whenever you request a cert for a set of names that has overlap with a previous set but isn’t a strict superset.

For example, if you first request example.com and www.example.com, and later request example.com and example.net without www.example.com, the new certificate would likely be called example.com-0001, while the example.com cert covering www.example.com would continue to exist. That is, removing any name from the old certificate’s list will cause the generation of an -0001 cert if you don’t specify --cert-name.

The intended way to prevent this is indeed @_az’s recommendation of specifying --cert-name (this is the only way to remove a name from an existing cert’s coverage with Certbot).


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.