I’m very confused with my certificates. When I started with certbot and leaning how to use it I think I most likely screwed up some things. This being said everything does work but I think I’ve accidentally created multiple certs. I got a renewal notification, so I did the renewal instructions and it seemed to work fine. When I use www.sslshopper.com to lookup my certs, the domains I have seem to have different renewal dates? weird. I then got another notification saying I need to renew ASAP as I have 24 hours. But all my domains look to have a 30day+ date for renew. So from reading this forum it is most likely older certs that need to be removed. However I am afraid to remove something I should no and break some sites. Could someone help educate me to identify what cert or certs is good and what I can remove so I can clean this up nicely?
My domain is: primary domain is smbservices.ca
I ran this command:
I can’t find the command in my history, if I recall correctly it was simply(using apache on centos7):
certbot renew
It produced this output:
output looked fine
My web server is (include version):
apache on centos7
My hosting provider, if applicable, is:
a VM
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
virtualmin
Use command certbot certificates to obtain all the certificates you have on your server, you will see the certificate name, the domains covered by the cert, if the cert is valid and for how long and also the paths where the cert is located so you will know what you get and what you should “clean”. Warning: before deleting any cert, please, backup your /etc/letsencrypt/ dir completely.
Just in case, this is a list of all non expired certs covering *.smbservices.ca:
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
377027541 smbservices.ca 2018-Apr-02 14:40 UTC 2018-Jul-01 14:40 UTC 83 days adaginc.ca
brilox.ca
cal.smbservices.ca
converterlookup.ca
mysandbox.ca
ridesonthego.ca
smbservices.ca
trackmystat.ca
374115857 smbservices.ca 2018-Apr-02 14:40 UTC 2018-Jul-01 14:40 UTC 83 days adaginc.ca
brilox.ca
cal.smbservices.ca
converterlookup.ca
mysandbox.ca
ridesonthego.ca
smbservices.ca
trackmystat.ca
340755968 forum.smbservices.ca 2018-Feb-25 12:48 UTC 2018-May-26 12:48 UTC 46 days forum.smbservices.ca
333528864 www.smbservices.ca 2018-Feb-17 12:54 UTC 2018-May-18 12:54 UTC 38 days smbservices.ca
www.smbservices.ca
327963939 www.smbservices.ca 2018-Feb-11 21:23 UTC 2018-May-12 21:23 UTC 33 days smbservices.ca
www.smbservices.ca
327956604 www.smbservices.ca 2018-Feb-11 21:09 UTC 2018-May-12 21:09 UTC 33 days www.smbservices.ca
302385240 smbservices.ca 2018-Jan-13 17:33 UTC 2018-Apr-13 17:33 UTC 4 days adaginc.ca
brilox.ca
cal.smbservices.ca
converterlookup.ca
mysandbox.ca
ridesonthego.ca
smbservices.ca
trackmystat.ca
299108079 smbservices.ca 2018-Jan-10 12:42 UTC 2018-Apr-10 12:42 UTC 0 days adaginc.ca
brilox.ca
converterlookup.ca
mysandbox.ca
ridesonthego.ca
smbservices.ca
trackmystat.ca
298724174 adaginc.ca 2018-Jan-09 21:55 UTC 2018-Apr-09 21:55 UTC 0 days adaginc.ca
brilox.ca
cal.smbservices.ca
converterlookup.ca
mysandbox.ca
ridesonthego.ca
smbservices.ca
trackmystat.ca
@sahsanu
Thank you for your reply. I can now see the paths. Now I’m even more afraid to remove the certs because it looks like they all play a role for a certain domain.
I was using certbot --apache --expand -d domains -d domain etc..
I assumed this added the new domains to the latest or primary cert, but from what I can see the first and primary cert does not contain all the domains. They are basically scattered all over the VALID certs.
Am I able to import or group all my active domains to my primary cert? The first one below is what I consider my primary.
Yes, you can issue a new cert covering all your domains:
1.- As root, make a backup of /etc/letsencrypt/ dir:
cd && tar zcvf backup_etc_letsencrypt-2018_04_11.tar.gz /etc/letsencrypt/
2.- Issue a new certificate for all your domains, in this case we will specify the parameter --cert-name to let certbot know which is the certificate we want to expand and also we will add all the certificates needed (including the ones that the current cert has):
That should create a certificate for all your domains. Then you should check that apache conf files (SSL directives) for your domains are pointing to the right path /etc/letsencrypt/live/smbservices.ca/