Two certs with almost the same domains


#1

Hi, I don’t quite remember how I ended up with this, but when I type certbot certificates I get something like this:

Found the following certs:
  Certificate Name: example.com-0001
    Domains: example.com blog.example.com docs.example.com
    Expiry Date: 2018-09-09 21:42:33+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/example.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com-0001/privkey.pem
  Certificate Name: example.com
    Domains: example.com banana.example.com docs.example.com
    Expiry Date: 2018-06-27 10:33:49+00:00 (VALID: 11 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

These two certificates differ only in one domain. The bottom certificate expires soon, and since I don’t use/host banana.example.com anymore, I don’t need to renew this cert. Is is safe to delete it, and use in apache configs only the first certificate instead of the second one?


#2

Hi @pni,

Yes, if it isn’t referenced in web server configurations, it should be find to delete it. Certbot has a certbot delete command to do this for you.

The way that you got example.com-0001 was probably by running something like certbot certonly -d example.com -d blog.example.com -d docs.example.com. If you didn’t specify --cert-name example.com at the same time, Certbot would have concluded that you didn’t intend to replace the existing certificate because you were reducing the certificate’s coverage by excluding banana.example.com. (Certbot’s heuristic for replacing, or suggesting replacing, an existing certificate automatically only considers replacing certificates that contain a subset of the names in the new request.)


#3

Thanks. Didn’t know that I could specify cert name with --cert-name. Have a nice day!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.