When does certbox append alter the filenames for certs?

whateverssl · October 25, 2018, 4:26pm

I noticed when creating certs that sometimes the stored file that is generated by certbot is modified.

So if I generated a cert for example.com it usually gets stored in the filesystem as:

But sometimes a suffix is added like 01 or 02.

I am assuming this is when I generate a cert for a domain that I already generated one for?

Is there a way to avoid this or to fail if the file already exists? My system assumes that the certs will match the domain name.

sahsanu · October 25, 2018, 9:40pm

Hi @whateverssl,

Yes, that could happen when adding or removing domains to an existing certificate. You can avoid it specifying what is the cert name you want to use for your certificate so certbot will "overwrite" the existing certificate.

I mean, if you have a certificate for example.com and now you want to replace it because you want to cover example.com and www.example.com in the same cert, certbot will create a directory like example.com-0001 containing the new cert but if you want to replace the existing certificate you should use the parameter --cert-name example.com to specify the name of the dir where your cert should be located.

$ certbot-auto help all | grep -A 7 cert-name
  --cert-name CERTNAME  Certificate name to apply. This name is used by
                        Certbot for housekeeping and in file paths; it doesn't
                        affect the content of the certificate itself. To see
                        certificate names, run 'certbot certificates'. When
                        creating a new certificate, specifies the new
                        certificate's name. (default: the first provided
                        domain or the name of an existing certificate on your
                        system for the same domains)

Cheers,
sahsanu

schoen · October 25, 2018, 9:54pm

It's a little more subtle than that: this doesn't happen if you only strictly increase the coverage of existing certificates, never removing any names. The -0001 happens when a list of names is specified that partially overlaps the coverage of an existing certificate without precisely duplicating it or strictly expanding it.

Otherwise, I totally agree with your advice to use --cert-name to change the coverage of a specific existing certificate.

whateverssl · October 25, 2018, 10:09pm

Thanks that is something I will investigate.

I am only doing a cert with a pattern like:

example.com
www.example.com
subdomain.example.com

I always want these to be under the same cert folder: example.com

Thanks!

system · November 24, 2018, 10:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Prevent -0001 -xxxx Certificate Suffixes Help	4	7202	August 15, 2018
Certbot update cert of domain.tld to *.domain.tld and keep paths Help	3	529	February 24, 2020
RE: Prevent -0001 -xxxx Certificate Suffixes Help	10	2689	February 22, 2019
-0001 cert directories? Help	5	1073	July 14, 2023
Certbot Using 000x with Domain Names after Deleting Initial Folders Server	2	1615	April 28, 2017

When does certbox append alter the filenames for certs?

Related topics