Shared certificate where one domain has expired

blahdeblahdeblah · October 7, 2022, 11:02pm

My domain is: hanningtonlogs.co.uk and wcvpnamer.org

I ran this command: sudo certbot renew --apache

It produced this output: The following certificates could not be renewed:
/etc/letsencrypt/live/hanningtonlogs.co.uk/fullchain.pem (failure)

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: AWS EC2 instance

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0

I have a server which was serving 5 domain and now is serving 4 domains because one of the domains (hanningtonlogs.co.uk) has expired and I no longer want it. It seems, from sudo certbot certificates that the Let's Encrypt certificate for hanningtonlogs.co.uk is also the certificate for wcvpnamer.org. That certificate only has 15 days left so I want to renew it for wcvpnamer.org but I no longer want it to be certifying hanningtonlogs.co.uk

I have run sudo a2dissite hanningtonlogs.co.uk.conf and sudo a2dissite hanningtonlogs.co.uk-le-ssl.conf so there is no reference to hanningtonlogs.co.uk in /etc/apache2/sites-enabled.

If I run sudo certbot renew --apache it fails to renew the certificate for wcvpnamer.org presumably because hanningtonlogs.co.uk no longer exists.

If I run sudo certbot renew --apache I get: Failed to renew certificate hanningtonlogs.co.uk with error: Some challenges have failed.

I guess I could temporarily sudo a2dissite wcvpnamer.org.conf and sudo a2dissite wcvpnamer.org.-le-ssl.conf. Then delete the hanningtonlogs.co.uk certificate and then sudo a2ensite wcvpnamer.org.conf and same for -le-ssl.conf. Then run sudo certbot --apache to create a new certificate for wcvpnamer.org

Please could you advise me on my best course of action and any explanations you think I would benefit from.

9peppe · October 7, 2022, 11:09pm

Try sudo certbot --apache

Bruce5051 · October 7, 2022, 11:13pm

I realize likely you have already found User Guide — Certbot 1.31.0 documentation
but I thought I would mention it incase you have not yet seen it.

There are other volunteers who know this like the back of their hand, I will let them handle it from here.

blahdeblahdeblah · October 7, 2022, 11:21pm

I think you have sorted it!

I did that and chose just wcvpnamer.org. The I ran sudo certbot certificates and got the following output:

ubuntu@ip-172-31-32-80:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: bgrgolf.com
    Serial Number: 39a7eff2c2a2c181a1e34df20f5b4fe44cf
    Key Type: RSA
    Domains: bgrgolf.com learntospell.org.uk stevespages.org.uk wcvpnamer.org www.bgrgolf.com www.learntospell.org.uk www.stevespages.org.uk www.wcvpnamer.org
    Expiry Date: 2023-01-05 20:10:56+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bgrgolf.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bgrgolf.com/privkey.pem
  Certificate Name: hanningtonlogs.co.uk
    Serial Number: 42d66d22368d39eca2872b2422ffea74bcb
    Key Type: RSA
    Domains: hanningtonlogs.co.uk wcvpnamer.org www.hanningtonlogs.co.uk www.wcvpnamer.org
    Expiry Date: 2022-10-23 14:56:44+00:00 (VALID: 15 days)
    Certificate Path: /etc/letsencrypt/live/hanningtonlogs.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hanningtonlogs.co.uk/privkey.pem
  Certificate Name: learntospell.org.uk
    Serial Number: 4a2d22ac6aeb9bb0ccf02aad849ebf4653a
    Key Type: RSA
    Domains: learntospell.org.uk
    Expiry Date: 2022-11-28 17:22:27+00:00 (VALID: 51 days)
    Certificate Path: /etc/letsencrypt/live/learntospell.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/learntospell.org.uk/privkey.pem
  Certificate Name: stevespages.org.uk
    Serial Number: 383f71e03f8ac6530a0a337b387522734cf
    Key Type: RSA
    Domains: stevespages.org.uk
    Expiry Date: 2022-11-28 19:11:07+00:00 (VALID: 51 days)
    Certificate Path: /etc/letsencrypt/live/stevespages.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/stevespages.org.uk/privkey.pem
  Certificate Name: wcvpnamer.org
    Serial Number: 317bdc691dc6b9c575d2e1ce50b24249ab5
    Key Type: RSA
    Domains: wcvpnamer.org
    Expiry Date: 2023-01-05 22:11:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/wcvpnamer.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wcvpnamer.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ubuntu@ip-172-31-32-80:~$

Then I ran sudo certbot delete and chose hanningtonlogs.co.uk. Now when I run $ sudo certbot certificates I can see hanningtonlogs.co.uk no longer shows up and wcvpnamer.org show with 89 days and the other 3 domains show as they did before.

I really appreciate you and the others work on this. I was very stressed by it. I hope it is sorted for now!

blahdeblahdeblah · October 7, 2022, 11:24pm

Thanks! I will keep it close at hand.

rg305 · October 7, 2022, 11:52pm

You might want to "clean up" the certificates.
I see a few names being served from multiple certs:

Step #1: Make sure your web config is only using the cert(s) you intend on keeping.
Step #2: Delete the cert(s) you don't need.

blahdeblahdeblah · October 9, 2022, 11:14am

I would like to do that. At the moment I have not got a clear idea of what I should be aiming for. Would it be sensible to aim to have one certificate for each domain and its sub domains eg have one certificate with both bgrgolf.com and www.bgrgolf.com on it and no other domains on it?

MikeMcQ · October 9, 2022, 1:35pm

You should aim for a system that you understand and can manage effectively.

I personally prefer having one certificate for each VirtualHost. Then you can remove or add VirtualHosts for any domain without worrying about the others.

When I looked yesterday, requests to wcvpnamer.org was using the cert with just its apex name in it but not its www subdomain.

Your other domains were using the certbot bgrgolf.com cert with 8 names in it (including wcvpnamer.org and its www).

You can see the cert being used for each request with a SSL Checker test site like this one

blahdeblahdeblah · October 9, 2022, 7:33pm

Thanks. Having one cert for each VirtualHost makes sense to me.

Is it possible to remove names from a cert? Or is it better to issue a new cert for any names and then delete the old certs?

I think I saw somewhere that you could use *.example.com which would be good for www.example.com and other subdomains but not for example.com itself. Is that correct?

Osiris · October 9, 2022, 7:37pm

Every modification to an existing certificate is impossible. So when you "modify" a certificate, you're actually just issuing an entirely brand new one.

So I'd say just make the certificates you want, configure your webserver accordingly and then remove the unused and unwanted certificates.

See Glossary - Let's Encrypt

Also note that you can combine a wildcard hostname and a regular hostname, i.e., both *.example.com and example.com in the same certificate.

blahdeblahdeblah · October 9, 2022, 9:00pm

I would like to combine *.example.com and example.com in the same certificate but when I run sudo certbot -v --apache I get a list to choose from which includes www.example.com but not *.example.com. How could I specifiy that I want *.example.com and example.com?

MikeMcQ · October 9, 2022, 9:10pm

You can't get a wildcard cert with Apache plug-in. That plug-in uses HTTP Challenge. A DNS Challenge is required for wildcard. (see LE docs and Certbot docs)

DNS Challenges are often much harder to configure. I seem to remember you use Route53 and that is possible to automate but very fussy (at least I think so).

A wildcard is most helpful when you have many subdomains and they change regularly. I don't see that as your case and using HTTP Challenge should be easier.

blahdeblahdeblah · October 9, 2022, 9:14pm

Thanks! I will forget about the wildcard. I thought it might be a simple way of future proofing. In fact I have no plans for subdomains beyond www at the moment anyway.

blahdeblahdeblah · October 9, 2022, 9:41pm

I have now tidied up my certificates with one certificate for each VirtualHost. Each certificate has the 'apex' name and the www subdomain for it. If you do see anything that is not good about it please do let me know. I have pasted the output from sudo certbot certificates below:

ubuntu@ip-172-31-32-80:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: bgrgolf.com-0001
    Serial Number: 4b99fcb0917ef1ed28197b8707572afda00
    Key Type: RSA
    Domains: bgrgolf.com www.bgrgolf.com
    Expiry Date: 2023-01-07 19:52:52+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bgrgolf.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bgrgolf.com-0001/privkey.pem
  Certificate Name: learntospell.org.uk
    Serial Number: 4158e1abfb47b3de04d4e7ba1c1cf05479a
    Key Type: RSA
    Domains: learntospell.org.uk www.learntospell.org.uk
    Expiry Date: 2023-01-07 20:17:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/learntospell.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/learntospell.org.uk/privkey.pem
  Certificate Name: stevespages.org.uk
    Serial Number: 30f49373d240e202045d7ff01926577249a
    Key Type: RSA
    Domains: stevespages.org.uk www.stevespages.org.uk
    Expiry Date: 2023-01-07 20:19:21+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/stevespages.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/stevespages.org.uk/privkey.pem
  Certificate Name: wcvpnamer.org
    Serial Number: 34ce94ce64db9cba86b72c07ae40d21807a
    Key Type: RSA
    Domains: www.wcvpnamer.org wcvpnamer.org
    Expiry Date: 2023-01-07 20:20:54+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/wcvpnamer.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wcvpnamer.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ubuntu@ip-172-31-32-80:~$

MikeMcQ · October 9, 2022, 10:31pm

Looks good to me. Congrats.

I see each domain name returns the cert as you show them.

system · November 8, 2022, 10:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.