Renew / Edit Certificate


#1

Hello,

I’ve created a certificate using certbot successfully but i’ve made a little mistake on creation. The idea is that i wanted to create 2 certifications, one for each website, but instead i’ve created just one valid for both domains. The problem now is that i don’t want any links between the two domains whatsoever, therefore i need to either revoke/renew or edit the current certificate. What is the best approach for my problem?

the command used was this:
certbot-auto certonly --webroot -w /data/vhosts/example1/httpdocs/ -d www.example1.com -d example1.com -w /data/vhosts/example2.com/httpdocs/ -d www.example2.com -d example2.com

and i think it would have been easier if i just run it two times for each domain or run the command bellow (using again webroot for the second domain)
certbot-auto certonly --webroot -w /data/vhosts/example1/httpdocs/ -d www.example1.com -d example1.com --webroot -w /data/vhosts/example2.com/httpdocs/ -d www.example2.com -d example2.com

Also looking through the forum i’ve found something about “Rate Limits” and even if i’ve found a page explaining more about it here https://letsencrypt.org/docs/rate-limits/ it’s still unclear for me, what is the limitation really about?

Any help would be much appreciated.


#2

That won’t be anything different than your previous attempt.

Every time you run certbot to get a “new” certificate, it will get you just one cert. (Of course certbot renew will give you multiple certificates if there are more than one certs due for renewal.)

Just run certbot twice, one time per domain, and you’ll be fine :slight_smile:


#4

Generate a new certificate for just the one hostname, and use that one instead of the previously-generated cert. There’s no reason to revoke the old cert (the only real reason to do so is if you suspect the private key has been compromised), just stop using it once you’ve created the new ones.

Edit: It isn’t possible to edit an existing certificate. Once a certificate has been issued, if you want any of its details to be different, you need to get a new certificate with the correct details. This is true with any CA, not just with Let’s Encrypt.


#5

Understood, thanks for the info danb35.

By any change do you know what “Rate Limits” refer to? Is it related to the number of certificates issued?


#6

I have a couple more questions if these can be still added here, if not i’ll create other posts for each of them.

  1. Is the renewal of the certificates done automatically or do i need to create a cron job?
  2. On renewal, is the folder .well-known still being used for validation or i can remove it?

Thanks.


#7
  1. You need to arrange for the certbot command to be run with “renew” you can do this with a cronjob or by whatever means. Certbot will remember which names it has validated for certificates, and will arrange to renew any certificates with less than 30 days left until they expire, using validation methods you asked for previously as needed. It is common to run Certbot’s renewal mode once or twice per day, knowing it will do nothing when there is no work needed.

  2. Because other things (besides Let’s Encrypt) might want a .well-known/ folder it isn’t deleted automatically, but if you do delete it, Certbot will just put it back when it next creates files.

I think the rate limits page does a pretty good job of explaining each limit. Maybe if you can spell out specifically what you didn’t understand someone will be able to explain further ?


#8

Yes, rate limits are related to the number of certificates issued. Here’s the page with the details: https://letsencrypt.org/docs/rate-limits/

Yes, you’ll need to create a cron job to renew the certificates. You should be able to simply call “certbot renew” daily for the cronjob–it will check any issued certs and, if they have less than 30 days remaining, renew them. And yes, if you’re using the HTTP-01 challenge (which you were if you were using the .well-known directory), the .well-known/acme-challenge path will need to be available at least while you’re running the renewal task.


#9

Thank you all for your support and keep up the good work everybody!!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.