Renewals notification after doing certbot renew


#1

I’m very confused with my certificates. When I started with certbot and leaning how to use it I think I most likely screwed up some things. This being said everything does work but I think I’ve accidentally created multiple certs. I got a renewal notification, so I did the renewal instructions and it seemed to work fine. When I use www.sslshopper.com to lookup my certs, the domains I have seem to have different renewal dates? weird. I then got another notification saying I need to renew ASAP as I have 24 hours. But all my domains look to have a 30day+ date for renew. So from reading this forum it is most likely older certs that need to be removed. However I am afraid to remove something I should no and break some sites. Could someone help educate me to identify what cert or certs is good and what I can remove so I can clean this up nicely?

My domain is: primary domain is smbservices.ca

I ran this command:
I can’t find the command in my history, if I recall correctly it was simply(using apache on centos7):
certbot renew

It produced this output:
output looked fine

My web server is (include version):
apache on centos7

My hosting provider, if applicable, is:
a VM

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
virtualmin


#2

Hi @gstlouis,

Use command certbot certificates to obtain all the certificates you have on your server, you will see the certificate name, the domains covered by the cert, if the cert is valid and for how long and also the paths where the cert is located so you will know what you get and what you should “clean”. Warning: before deleting any cert, please, backup your /etc/letsencrypt/ dir completely.

Just in case, this is a list of all non expired certs covering *.smbservices.ca:

CRT ID     DOMAIN (CN)           VALID FROM             VALID TO               EXPIRES IN  SANs
377027541  smbservices.ca        2018-Apr-02 14:40 UTC  2018-Jul-01 14:40 UTC  83 days     adaginc.ca
                                                                                           brilox.ca
                                                                                           cal.smbservices.ca
                                                                                           converterlookup.ca
                                                                                           mysandbox.ca
                                                                                           ridesonthego.ca
                                                                                           smbservices.ca
                                                                                           trackmystat.ca
374115857  smbservices.ca        2018-Apr-02 14:40 UTC  2018-Jul-01 14:40 UTC  83 days     adaginc.ca
                                                                                           brilox.ca
                                                                                           cal.smbservices.ca
                                                                                           converterlookup.ca
                                                                                           mysandbox.ca
                                                                                           ridesonthego.ca
                                                                                           smbservices.ca
                                                                                           trackmystat.ca
340755968  forum.smbservices.ca  2018-Feb-25 12:48 UTC  2018-May-26 12:48 UTC  46 days     forum.smbservices.ca
333528864  www.smbservices.ca    2018-Feb-17 12:54 UTC  2018-May-18 12:54 UTC  38 days     smbservices.ca
                                                                                           www.smbservices.ca
327963939  www.smbservices.ca    2018-Feb-11 21:23 UTC  2018-May-12 21:23 UTC  33 days     smbservices.ca
                                                                                           www.smbservices.ca
327956604  www.smbservices.ca    2018-Feb-11 21:09 UTC  2018-May-12 21:09 UTC  33 days     www.smbservices.ca
302385240  smbservices.ca        2018-Jan-13 17:33 UTC  2018-Apr-13 17:33 UTC  4 days      adaginc.ca
                                                                                           brilox.ca
                                                                                           cal.smbservices.ca
                                                                                           converterlookup.ca
                                                                                           mysandbox.ca
                                                                                           ridesonthego.ca
                                                                                           smbservices.ca
                                                                                           trackmystat.ca
299108079  smbservices.ca        2018-Jan-10 12:42 UTC  2018-Apr-10 12:42 UTC  0 days      adaginc.ca
                                                                                           brilox.ca
                                                                                           converterlookup.ca
                                                                                           mysandbox.ca
                                                                                           ridesonthego.ca
                                                                                           smbservices.ca
                                                                                           trackmystat.ca
298724174  adaginc.ca            2018-Jan-09 21:55 UTC  2018-Apr-09 21:55 UTC  0 days      adaginc.ca
                                                                                           brilox.ca
                                                                                           cal.smbservices.ca
                                                                                           converterlookup.ca
                                                                                           mysandbox.ca
                                                                                           ridesonthego.ca
                                                                                           smbservices.ca
                                                                                           trackmystat.ca

Cheers,
sahsanu


#3

@sahsanu
Thank you for your reply. I can now see the paths. Now I’m even more afraid to remove the certs because it looks like they all play a role for a certain domain.

I was using certbot --apache --expand -d domains -d domain etc..
I assumed this added the new domains to the latest or primary cert, but from what I can see the first and primary cert does not contain all the domains. They are basically scattered all over the VALID certs.

Am I able to import or group all my active domains to my primary cert? The first one below is what I consider my primary.

Found the following certs:

  Certificate Name: smbservices.ca
    Domains: smbservices.ca adaginc.ca brilox.ca cal.smbservices.ca converterlookup.ca mysandbox.ca ridesonthego.ca trackmystat.ca
    Expiry Date: 2018-07-01 14:40:07+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/smbservices.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/smbservices.ca/privkey.pem

  Certificate Name: www.smbservices.ca
    Domains: www.smbservices.ca smbservices.ca
    Expiry Date: 2018-05-18 12:54:00+00:00 (VALID: 37 days)
    Certificate Path: /etc/letsencrypt/live/www.smbservices.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.smbservices.ca/privkey.pem

  Certificate Name: www.adaginc.ca
    Domains: www.adaginc.ca adaginc.ca
    Expiry Date: 2018-05-12 21:21:27+00:00 (VALID: 32 days)
    Certificate Path: /etc/letsencrypt/live/www.adaginc.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.adaginc.ca/privkey.pem
  
Certificate Name: trackmystat.ca
    Domains: trackmystat.ca www.trackmystat.ca
    Expiry Date: 2018-05-18 12:36:56+00:00 (VALID: 37 days)
    Certificate Path: /etc/letsencrypt/live/trackmystat.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/trackmystat.ca/privkey.pem
  
Certificate Name: forum.smbservices.ca
    Domains: forum.smbservices.ca
    Expiry Date: 2018-05-26 12:48:14+00:00 (VALID: 45 days)
    Certificate Path: /etc/letsencrypt/live/forum.smbservices.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/forum.smbservices.ca/privkey.pem

#4

Hi @gstlouis,

Yes, you can issue a new cert covering all your domains:

1.- As root, make a backup of /etc/letsencrypt/ dir:

cd && tar zcvf backup_etc_letsencrypt-2018_04_11.tar.gz /etc/letsencrypt/

2.- Issue a new certificate for all your domains, in this case we will specify the parameter --cert-name to let certbot know which is the certificate we want to expand and also we will add all the certificates needed (including the ones that the current cert has):

certbot --apache --expand --cert-name smbservices.ca -d smbservices.ca,www.smbservices.ca,forum.smbservices.ca,adaginc.ca,www.adaginc.ca,brilox.ca,cal.smbservices.ca,converterlookup.ca,mysandbox.ca,ridesonthego.ca,trackmystat.ca,www.trackmystat.ca

That should create a certificate for all your domains. Then you should check that apache conf files (SSL directives) for your domains are pointing to the right path /etc/letsencrypt/live/smbservices.ca/

Good luck,
sahsanu


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.