Problems making make the Base Name and Common Name the same?

I've followed the instructions in an earlier topic but it is still not working for me. Here is a link to the topic. Is there a way to reopen it?

I am trying to make designcomputer.com the Base Name and Common Name. Here is the command I used:

/root/certbot-auto --cert-name designcomputer.com -d designcomputer.com -d www.designcomputer.com -d 450th.designcomputer.com -d blenderism.com -d designtv.net -d www.designtv.net -d ereflex.com -d fortmose.com -d frogfancy.com -d ic5.designcomputer.com -d ic5.designtv.net -d legiblelab.com -d schedule.designtv.net -d taoofblender.com -d test.designcomputer.com -d test.designtv.net -d weaponscollector.com -d www.weaponscollector.com -d plus.weaponscollector.com -d zenofblender.com

Here is the response:

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
_ signer = key.signer(self.padding, self.hash)_
Performing the following challenges:
tls-sni-01 challenge for designcomputer.com
tls-sni-01 challenge for www.designcomputer.com
tls-sni-01 challenge for 450th.designcomputer.com
tls-sni-01 challenge for blenderism.com
tls-sni-01 challenge for designtv.net
tls-sni-01 challenge for www.designtv.net
tls-sni-01 challenge for ereflex.com
tls-sni-01 challenge for fortmose.com
tls-sni-01 challenge for frogfancy.com
tls-sni-01 challenge for ic5.designcomputer.com
tls-sni-01 challenge for ic5.designtv.net
tls-sni-01 challenge for legiblelab.com
tls-sni-01 challenge for schedule.designtv.net
tls-sni-01 challenge for taoofblender.com
tls-sni-01 challenge for test.designcomputer.com
tls-sni-01 challenge for test.designtv.net
tls-sni-01 challenge for weaponscollector.com
tls-sni-01 challenge for www.weaponscollector.com
tls-sni-01 challenge for plus.weaponscollector.com
tls-sni-01 challenge for zenofblender.com
Waiting for verification...
Cleaning up challenges
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:
_ - Unable to install the certificate_
_ - Congratulations! Your certificate and chain have been saved at:_
_ /etc/letsencrypt/live/designcomputer.com/fullchain.pem_
_ Your key file has been saved at:_
_ /etc/letsencrypt/live/designcomputer.com/privkey.pem_
_ Your cert will expire on 2017-12-04. To obtain a new or tweaked_
_ version of this certificate in the future, simply run certbot-auto_
_ again with the "certonly" option. To non-interactively renew all_
_ of your certificates, run "certbot-auto renew"_

The certificate renewed but the Base Name and Common Name did not change to designcomputer.com

I believe certbot will alphabetize the names and choose the first as the common name - but I may be wrong.
So, I’m not sure you are going to get the results you require without separating all the designcomputer.com names into another cert or some other clever method - like deleting the cert and create one you like then expand it with all the other names. But even that may yield the same final result.

Yikes. I hope there is some way to actually do this.

When you create a completely new cert, Certbot submits the names in the order in which they’re presented on the command line, including requesting the common name to be the first-listed name with -d.

However, I believe that when you renew an existing cert, Certbot submits the names in the order in which they were listed in the old cert, regardless of what order they were specified in on the new command line. In this case, Certbot recognizes that you have an existing cert with the same coverage and offers to renew it, and in doing so, it requests the same names in their original order. As far as I know, there is no way to change this behavior because the “new cert” and “renewal of an existing cert” code paths are quite distinct in this regard, and there is no option to redirect Certbot to follow the new cert behaviors during a renewal. Therefore, you would probably need to delete the old cert with certbot delete, specifying the certificate name with --cert-name.

But I think you may have misdiagnosed the situation here, because there is a newly-issued certificate that has designcomputer.com in the CN field.

https://crt.sh/?id=204829029

The fact that the certificate was originally saved in /etc/letsencrypt/live/designcomputer.com suggests that designcomputer.com was previously the CN as well, which probably corresponds to this certificate

https://crt.sh/?id=204784932

You also have three certificates whose CN is blenderism.com, the newest of which is

https://crt.sh/?id=204789884

These are probably stored in /etc/letsencrypt/live/blenderism.com and there’s probably no straightforward way to use Certbot to replace them with certs with the designcomputer.com CN.

If you run certbot certificates, you should get a list of which certificates you have. I think you’ll see that you have at least two separate certificate lineages with complete or nearly-complete overlap in name coverage, and one lineage will have the CN that you wanted and the other one won’t.

The main reason that this can happen is that, if you have an existing certificate and request a new one, Certbot will suggest replacing the old certificate with the new one if the new list of names is a strict superset of the old list, while it will suggest creating a separate certificate lineage with a separate name if the new list of names is not a strict superset of the old list (e.g. it’s missing one or more names that were covered by the old certificate).

It looks like all five of your Let’s Encrypt certificates actually cover exactly the same set of names, so my guess for how this happened with Certbot probably doesn’t not apply to you. Maybe at one point you supplied the option “--duplicate” or something?

Thanks for helping. The problem is complicated by my not understanding exactly what the certbot-auto script is doing.

Is there a way to use the certbot delete command to clean everything up and let me start over without hitting some limit?

Deleting (or revoking) certificates doesn’t affect rate limits:

Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been consumed.

https://letsencrypt.org/docs/rate-limits/

If you run certbot certificates (in your case /root/certbot-auto certificates), you can see which certificates you have and one of them is probably one that already has the coverage that you want, so you should be able to continue to use that one and delete the other certificate or certificates.

Thanks! I’ll check that tomorrow.

There are two. I created the second one inadvertently while trying to figure out why the Base Name and Common Name didn’t change after running the command shown in the first post.

-------------------------------------------------------------------------------
Found the following certs:
_ Certificate Name: designcomputer_
_ Domains: designcomputer.com,450th.designcomputer.com,blenderism.com,designtv.net,ereflex.com,fortmose.com,frogfancy.com,ic5.designcomputer.com,ic5.designtv.net,legiblelab.com,plus.weaponscollector.com,schedule.designtv.net,taoofblender.com,test.designcomputer.com,test.designtv.net,weaponscollector.com,www.designcomputer.com,www.designtv.net,www.weaponscollector.com,zenofblender.com_
_ Expiry Date: 2017-12-04 17:30:00+00:00 (VALID: 89 days)_
_ Certificate Path: /etc/letsencrypt/live/designcomputer/fullchain.pem_
_ Private Key Path: /etc/letsencrypt/live/designcomputer/privkey.pem_
_ Certificate Name: designcomputer.com_
_ Domains: designcomputer.com,450th.designcomputer.com,blenderism.com,designtv.net,ereflex.com,fortmose.com,frogfancy.com,ic5.designcomputer.com,ic5.designtv.net,legiblelab.com,plus.weaponscollector.com,schedule.designtv.net,taoofblender.com,test.designcomputer.com,test.designtv.net,weaponscollector.com,www.designcomputer.com,www.designtv.net,www.weaponscollector.com,zenofblender.com_
_ Expiry Date: 2017-12-04 19:31:00+00:00 (VALID: 89 days)_
_ Certificate Path: /etc/letsencrypt/live/designcomputer.com/fullchain.pem_
_ Private Key Path: /etc/letsencrypt/live/designcomputer.com/privkey.pem_
-------------------------------------------------------------------------------

I ran:

/root/certbot delete --cert-name designcomputer.com

And now I have:

-------------------------------------------------------------------------------
Found the following certs:
_ Certificate Name: designcomputer_
_ Domains: designcomputer.com,450th.designcomputer.com,blenderism.com,designtv.net,ereflex.com,fortmose.com,frogfancy.com,ic5.designcomputer.com,ic5.designtv.net,legiblelab.com,plus.weaponscollector.com,schedule.designtv.net,taoofblender.com,test.designcomputer.com,test.designtv.net,weaponscollector.com,www.designcomputer.com,www.designtv.net,www.weaponscollector.com,zenofblender.com_
_ Expiry Date: 2017-12-04 17:30:00+00:00 (VALID: 89 days)_
_ Certificate Path: /etc/letsencrypt/live/designcomputer/fullchain.pem_
_ Private Key Path: /etc/letsencrypt/live/designcomputer/privkey.pem_
-------------------------------------------------------------------------------

But is there any way to make the Base Name and Common Name the same?

I spoke too soon. It now looks like the Base Name and Common Name are right. Thanks for the help @schoen!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.