Without --cert-name
, the new item is created whenever you request a cert for a set of names that has overlap with a previous set but isn't a strict superset.
For example, if you first request example.com
and www.example.com
, and later request example.com
and example.net
without www.example.com
, the new certificate would likely be called example.com-0001
, while the example.com
cert covering www.example.com
would continue to exist. That is, removing any name from the old certificate's list will cause the generation of an -0001
cert if you don't specify --cert-name
.
The intended way to prevent this is indeed @_az's recommendation of specifying --cert-name
(this is the only way to remove a name from an existing cert's coverage with Certbot).