Purging all certs on NGINX created by certbot

I have a mail server with SOGo as my webmail. I have three separate domains pointing to the server with one single virtual host as a catchall. When I initially configured the server I only had one domain: mail.familymattersliving.com. I later added additional domains (listed below) but I ran certbot as if they were independent. When I realized the mistake I ran certbot again attaching to the original cert. Now I have all of this:

$ sudo certbot -auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: autoconfig.securityguardcommand.com
    Serial Number: 
    Key Type: RSA
    Domains: autoconfig.securityguardcommand.com
    Expiry Date: 2023-09-14 04:15:02+00:00 (VALID: 84 days)
    Certificate Path: /etc/letsencrypt/live/autoconfig.securityguardcommand.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/autoconfig.securityguardcommand.com/privkey.pem
  Certificate Name: existing-domain.com
    Serial Number: 
    Key Type: RSA
    Domains: mail.familymattersliving.com mail.mischasbeauty.com mail.securityguardcommand.com
    Expiry Date: 2023-09-14 05:21:49+00:00 (VALID: 84 days)
    Certificate Path: /etc/letsencrypt/live/existing-domain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/existing-domain.com/privkey.pem
  Certificate Name: mail.familymattersliving.com
    Serial Number: 
    Key Type: RSA
    Domains: mail.familymattersliving.com
    Expiry Date: 2023-09-09 04:47:56+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/mail.familymattersliving.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.familymattersliving.com/privkey.pem
  Certificate Name: mail.securityguardcommand.com
    Serial Number: 
    Key Type: RSA
    Domains: mail.securityguardcommand.com
    Expiry Date: 2023-09-14 02:36:14+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/mail.securityguardcommand.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.securityguardcommand.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How do I purge all certs so I can start over and clean this mess up?
I cannot find any reference in NGINX virtual host file to any of these certs.
When I go to mail.familymattersliving.com the SSL works perfectly. But when I go to any of the other domains, I get a message stating that the cert being used was issued to mail.familymatters.com and is not valid.

|Common Name (CN)|mail.familymattersliving.com|
|---|---|
|Organization (O)|<Not Part Of Certificate>|
|Organizational Unit (OU)|<Not Part Of Certificate>|

My domain is: mail.familymattersliving.com, mail.securityguardcommand.com, mail.mischasbeauty.com and also the following subdomains for each domain: autodiscover, autoconfigure.

My web server is (include version): NGINX
The operating system my web server runs on is (include version): Ubuntu 22.04
My hosting provider, if applicable, is: Serverpoint VPS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Hi @someguyin209, and welcome to the LE community forum :slight_smile:

You shouldn't do that.

Why "start over"?
The only "mess" I see is the mail.securityguardcommand.com name is being covered by two certs:

And that's not much of a mess.

That is not a "mess" that any create ca create.
Please post your full nginx configuration.
nginx -T

3 Likes

I need one cert for all domains. I cannot have separate certs due to dovecot only allowing one cert.

Why not use one single cert with one single name on it?
The world's largest ESPs do it:
imap.gmail.com
imap.outlook.com

2 Likes

00-default-ssl.conf:

# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    root /var/www/html;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;

/etc/nginx/templates/ssl.tmpl:

ssl_protocols TLSv1.2 TLSv1.3;

# Fix 'The Logjam Attack'.
ssl_ciphers ;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;

# Greatly improve the performance of keep-alive connections over SSL.
# With this enabled, client is not necessary to do a full SSL-handshake for
# every request, thus saving time and cpu-resources.
ssl_session_cache shared:SSL:10m;

# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
#
# To request free "Let's Encrypt" cert, please check our tutorial:
# https://docs.iredmail.org/letsencrypt.html
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

I asked for:

You showed two files:

We volunteer for FREE.
You should choose your replies a little better.
Good night :zzz:

3 Likes

Don't know what you're referring to..................

I figured out the mess. I removed the symlink to the cert, created a whole new cert with all domains and sub domains, then recreated the symlinks with the new cert.

Unless you've manually messed up the /etc/letsencrypt/live/ directory previously, it's NOT recommended to manually apply changes to the /live/ directory! It often leads to broken Certbot configurations.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.