LetsEncrypt certificate path with domain suffix

Hi Marc,

Yes! This looks much better.

Out of subject:

Lately on the forum, I encountered a few times the appending of -001 to the FQDN of the domain, in the path to the key-storage directory.

My first encounter with this addition was after a Let’s Encrypt certificate renewal error. I corrected this “error”, but was it one?

I would like to know your point of view on the subject; here or in a new topic.

Michel-André

I know almost nothing about it. But a search suggest that the suffix (0001…n) is added in case of domain name collision when requesting/renewing a certificate lineage.
This has been seen, for instance, when adding/removing Subject Alternative Names from a multidomain certificate.







2 Likes

Hi Marc,

Thank you for your research.

It looks like there is no clear solution for removing that -0001 suffix.

But, NethServer has something that other distros don’t have (?) i.e the choice to easily tell the server which certificate to use: the original one NS created or the Let’s Encrypt one.

Suggestion #1:

Suggestion #2:

  • tell NS to take the certificate it created
  • tar /etc/letsencrypt as a backup
  • delete /etc/letsencrypt
  • reinstall nethserver-letsencrypt
  • ask a Let’s Encrypt certificate
  • pointing NS to take the new Let’s Encrypt certificate

Problems:

  • I do not have a test server directly connected to the internet.
  • Maybe the certificate NS created doesn’t have all the new added domains ?
  • Reinstalling nethserver-letsencrypt might bring back some config parameters ?

Any suggestion ?

Michel-André

Hi all,

THE ORIGINAL PROBLEM:
■ The creation of the first FQDN-0001 was created after I deleted one of the domain in the list when I requested a new Let’s Encrypt Certificate.
■ The creation of the second FQDN-0002 was created the day after when Let’s Encrypt renewed, by itself, the new certificate from the day before.
■ On the second day after asking the new certificate, all was normal except the suffixes.

THE ORIGINAL PROBLEM RESOLVED:
I resolved my problem with the -0001 suffix.
I have to admit that I had not only -0001 but also -0002 suffixes.

Now, I have one brand new Let’s Enrypt certificate and no suffix at all.

I used 1 certificate for multiple domains i.e. a SAN certificate (Certificates with SAN also provide a SAN [Subject Alternative Name] field that allows additional domain names to be protected with a single certificate). Have a look at https://www.micronator.org and display the certificate informations.

image image

image image

PROCEDURE:
† Your mileage may vary!
†† tar /etc/letsencrypt as a backup (just in case I run over the 5/7 LE limit)

Cockpit → System → Certificates
● Set as default the NethServer auto-signed certificate.
● Delete all Let’s Encrypt certificates on this page.

/etc/letsencrypt/
Delete the content of directories:
● live
● archive
● renewal

Logout of Cockpit.
● Clean the browser cache and the workstation cache.
● Login to Cockpit.

Cockpit → System → Certificates → Request Let's Encrypt Certificate.
● Verify all the entered domains. (The domains should all display automatically.)
Request.
(May have to request twice the certificate: the first one will create /etc/letsencrypt/FQDN and the second one will create the new certificate.)

Wait until Cockpit finishes the request.
● Refresh the page.

Cockpit → System → Certificates
● Set as default the new Let’s Encrypt crtificate.
● Refresh the page.

/etc/letsencrypt/live/
● There should only be one FQDN directory.

Voilà! You have a brand new Let’s Encrypt certificate and no more -0001 suffix.

† Wait until the day after, at the same time as you asked the new Let’s Encrypt crtificate:
/etc/letsencrypt/live/
● There should still be only the FQDN directory.

Michel-André

I have a variety of concerns with this method, but it seems you’re missing the simplest and most obvious solution–if the -0001 cert was created (as it would be expected to be) when you “deleted one of the domain in the list when I requested a new Let’s Encrypt Certificate,” then that’s now the cert you want to use. Set it as default in the list, and you’re done. Nothing at all to do at the command line.

If you really want to clean things up, certbot delete --cert-name foo is your friend. You should never need to manually make changes inside of /etc/letsencrypt/.

Dear @michelandre Michel,

What I think / suppose is that a “complete LE module restart” would be a good idea for me. It is somehow a kind of “back to zero” for the LE module. Is this the procedure I need to do to get rid of all “-000x” certificates?

TIA
Thorsten

No, I wouldn’t recommend manually messing with any of the files in /etc/letsencrypt/. tar up that directory as a backup if you like (it’d be a good idea), but removing anything should be done using the certbot delete command.

Hi @thorsten,

Exactly what this procedure will do except for the Certificate Signing Request (CSR) counter.

This is the backup.

This is to enable you to delete all LE certificates and still have the original NS’s one.

on this page… This should delete all LE certificates.

live → this should be empty because there should be no more LE certificates as you deleted all of them with the previous action.
archive → LE will start a new counter with cert1.
renewal → this will force LE to create a new account for you

This will force the browser to take the original NS certificate.

The rest is standard procedure.

Michel-André

Honestly … I do not dare …

:pleading_face: