When does certbox append alter the filenames for certs?


#1

I noticed when creating certs that sometimes the stored file that is generated by certbot is modified.

So if I generated a cert for example.com it usually gets stored in the filesystem as:

example.com

But sometimes a suffix is added like 01 or 02.

I am assuming this is when I generate a cert for a domain that I already generated one for?

Is there a way to avoid this or to fail if the file already exists? My system assumes that the certs will match the domain name.


#2

Hi @whateverssl,

Yes, that could happen when adding or removing domains to an existing certificate. You can avoid it specifying what is the cert name you want to use for your certificate so certbot will “overwrite” the existing certificate.

I mean, if you have a certificate for example.com and now you want to replace it because you want to cover example.com and www.example.com in the same cert, certbot will create a directory like example.com-0001 containing the new cert but if you want to replace the existing certificate you should use the parameter --cert-name example.com to specify the name of the dir where your cert should be located.

$ certbot-auto help all | grep -A 7 cert-name
  --cert-name CERTNAME  Certificate name to apply. This name is used by
                        Certbot for housekeeping and in file paths; it doesn't
                        affect the content of the certificate itself. To see
                        certificate names, run 'certbot certificates'. When
                        creating a new certificate, specifies the new
                        certificate's name. (default: the first provided
                        domain or the name of an existing certificate on your
                        system for the same domains)

Cheers,
sahsanu


#3

It’s a little more subtle than that: this doesn’t happen if you only strictly increase the coverage of existing certificates, never removing any names. The -0001 happens when a list of names is specified that partially overlaps the coverage of an existing certificate without precisely duplicating it or strictly expanding it.

Otherwise, I totally agree with your advice to use --cert-name to change the coverage of a specific existing certificate.


#4

Thanks that is something I will investigate.

I am only doing a cert with a pattern like:

example.com
www.example.com
subdomain.example.com

I always want these to be under the same cert folder: example.com

Thanks!