Zombie Let's Encrypt certificate

NethServer Version: 7.9
Module: Lets Encrypt Certificate managed by certbot

Without being able to explain why, I suddenly have two certificates for my main domain.

  1. dargels.de (the original one, standard certificate)
  2. dargels.de-0001.de (the new one, zombie)
  3. (additionally myancestry.de without problems)

I deleted the second one in WebGUI but the certs still exists in file system with in

  • /etc/letsencrypt/archive
  • /etc/letsencrypt/live
  • /etc/letsencrypt/renewal

after deletion:

# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/dargels.de-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/dargels.de-0001/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: dargels.de
Serial Number: 326a84d916e1204915d8bffe07f9e9bddcb
Key Type: RSA
Domains: dargels.de collabora.dargels.de dev.dargels.de imap.dargels.de mail.dargels.de nextcloud.dargels.de ns-srv01.dargels.de smtp.dargels.de status.dargels.de stephdl.dargels.de webtop.dargels.de wp.dargels.de www.dargels.de
Expiry Date: 2022-01-19 01:58:24+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/dargels.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dargels.de/privkey.pem
Certificate Name: myancestry.de
Serial Number: 42e828677b2c16c675d69d3e62d89b602ed
Key Type: RSA
Domains: myancestry.de imap.myancestry.de mail.myancestry.de smtp.myancestry.de www.myancestry.de
Expiry Date: 2022-02-05 06:25:12+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/myancestry.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myancestry.de/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/dargels.de-0001.conf


after deletion the folders manually:

# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: dargels.de
Serial Number: 326a84d916e1204915d8bffe07f9e9bddcb
Key Type: RSA
Domains: dargels.de collabora.dargels.de dev.dargels.de imap.dargels.de mail.dargels.de nextcloud.dargels.de ns-srv01.dargels.de smtp.dargels.de status.dargels.de stephdl.dargels.de webtop.dargels.de wp.dargels.de www.dargels.de
Expiry Date: 2022-01-19 01:58:24+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/dargels.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dargels.de/privkey.pem
Certificate Name: myancestry.de
Serial Number: 42e828677b2c16c675d69d3e62d89b602ed
Key Type: RSA
Domains: myancestry.de imap.myancestry.de mail.myancestry.de smtp.myancestry.de www.myancestry.de
Expiry Date: 2022-02-05 06:25:12+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/myancestry.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myancestry.de/privkey.pem


after certobt renew

# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: dargels.de
Serial Number: 326a84d916e1204915d8bffe07f9e9bddcb
Key Type: RSA
Domains: dargels.de collabora.dargels.de dev.dargels.de imap.dargels.de mail.dargels.de nextcloud.dargels.de ns-srv01.dargels.de smtp.dargels.de status.dargels.de stephdl.dargels.de webtop.dargels.de wp.dargels.de www.dargels.de
Expiry Date: 2022-01-19 01:58:24+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/dargels.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dargels.de/privkey.pem
Certificate Name: myancestry.de
Serial Number: 42e828677b2c16c675d69d3e62d89b602ed
Key Type: RSA
Domains: myancestry.de imap.myancestry.de mail.myancestry.de smtp.myancestry.de www.myancestry.de
Expiry Date: 2022-02-05 06:25:12+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/myancestry.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myancestry.de/privkey.pem


I have now repeated this several days in a row, again and again the zombie certificate appears new.

What should I do now if tomorrow the zombie certificate is available again?

I have not yet dared to switch to acme-dns.
Best regards, MArko

Logs:

" cat /var/log/letsencrypt/letsencrypt.log

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:certbot version: 1.11.0

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:Arguments: []

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2021-12-02 18:07:41,680:DEBUG:certbot._internal.log:Root logging level set at 20

2021-12-02 18:07:41,680:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2021-12-02 18:07:41,682:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/dargels.de.conf

2021-12-02 18:07:41,690:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f84135e75d0> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f84135e75d0>

2021-12-02 18:07:41,718:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/dargels.de/cert10.pem

2021-12-02 18:07:41,718:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/dargels.de/chain10.pem -cert /etc/letsencrypt/archive/dargels.de/cert10.pem -CAfile /etc/letsencrypt/archive/dargels.de/chain10.pem -verify_other /etc/letsencrypt/archive/dargels.de/chain10.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org

2021-12-02 18:07:41,890:INFO:certbot._internal.renewal:Cert not yet due for renewal

2021-12-02 18:07:41,891:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None

2021-12-02 18:07:41,891:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/myancestry.de.conf

2021-12-02 18:07:41,908:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/myancestry.de/cert6.pem

2021-12-02 18:07:41,908:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/myancestry.de/chain6.pem -cert /etc/letsencrypt/archive/myancestry.de/cert6.pem -CAfile /etc/letsencrypt/archive/myancestry.de/chain6.pem -verify_other /etc/letsencrypt/archive/myancestry.de/chain6.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org

2021-12-02 18:07:42,083:INFO:certbot._internal.renewal:Cert not yet due for renewal

2021-12-02 18:07:42,083:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None

2021-12-02 18:07:42,083:DEBUG:certbot.display.util:Notifying user:


2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: The following certificates are not due for renewal yet:

2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: /etc/letsencrypt/live/dargels.de/fullchain.pem expires on 2022-01-19 (skipped)

/etc/letsencrypt/live/myancestry.de/fullchain.pem expires on 2022-02-05 (skipped)

2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: No renewals were attempted.

2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2021-12-02 18:07:42,084:DEBUG:certbot._internal.renewal:no renewal failures"]
cat /var/log/letsencrypt/letsencrypt.log

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:certbot version: 1.11.0

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:Arguments: []

2021-12-02 18:07:41,659:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2021-12-02 18:07:41,680:DEBUG:certbot._internal.log:Root logging level set at 20

2021-12-02 18:07:41,680:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2021-12-02 18:07:41,682:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/dargels.de.conf

2021-12-02 18:07:41,690:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f84135e75d0> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f84135e75d0>

2021-12-02 18:07:41,718:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/dargels.de/cert10.pem

2021-12-02 18:07:41,718:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/dargels.de/chain10.pem -cert /etc/letsencrypt/archive/dargels.de/cert10.pem -CAfile /etc/letsencrypt/archive/dargels.de/chain10.pem -verify_other /etc/letsencrypt/archive/dargels.de/chain10.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org

2021-12-02 18:07:41,890:INFO:certbot._internal.renewal:Cert not yet due for renewal

2021-12-02 18:07:41,891:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None

2021-12-02 18:07:41,891:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/myancestry.de.conf

2021-12-02 18:07:41,908:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/myancestry.de/cert6.pem

2021-12-02 18:07:41,908:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/myancestry.de/chain6.pem -cert /etc/letsencrypt/archive/myancestry.de/cert6.pem -CAfile /etc/letsencrypt/archive/myancestry.de/chain6.pem -verify_other /etc/letsencrypt/archive/myancestry.de/chain6.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org

2021-12-02 18:07:42,083:INFO:certbot._internal.renewal:Cert not yet due for renewal

2021-12-02 18:07:42,083:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None

2021-12-02 18:07:42,083:DEBUG:certbot.display.util:Notifying user:


2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: The following certificates are not due for renewal yet:

2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: /etc/letsencrypt/live/dargels.de/fullchain.pem expires on 2022-01-19 (skipped)

/etc/letsencrypt/live/myancestry.de/fullchain.pem expires on 2022-02-05 (skipped)

2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: No renewals were attempted.

2021-12-02 18:07:42,084:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2021-12-02 18:07:42,084:DEBUG:certbot._internal.renewal:no renewal failures

cat /var/log/letsencrypt/letsencrypt.log.3

cat /var/log/letsencrypt/letsencrypt.log.3
2021-12-02 17:56:43,329:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-12-02 17:56:43,329:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-12-02 17:56:43,329:DEBUG:certbot._internal.main:Arguments: []
2021-12-02 17:56:43,329:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-02 17:56:43,354:DEBUG:certbot._internal.log:Root logging level set at 20
2021-12-02 17:56:43,354:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-02 17:56:43,356:WARNING:certbot._internal.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/dargels.de-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/dargels.de-0001/cert.pem to be a symlink. Skipping.
2021-12-02 17:56:43,358:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/cert_manager.py”, line 79, in certificates
renewal_candidate = storage.RenewableCert(renewal_file, config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 470, in init
self._check_symlinks()
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 537, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/dargels.de-0001/cert.pem to be a symlink

2021-12-02 17:56:43,385:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/dargels.de/cert.pem
2021-12-02 17:56:43,386:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/dargels.de/chain.pem -cert /etc/letsencrypt/live/dargels.de/cert.pem -CAfile /etc/letsencrypt/live/dargels.de/chain.pem -verify_other /etc/letsencrypt/live/dargels.de/chain.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org
2021-12-02 17:56:43,577:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/myancestry.de/cert.pem
2021-12-02 17:56:43,577:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/myancestry.de/chain.pem -cert /etc/letsencrypt/live/myancestry.de/cert.pem -CAfile /etc/letsencrypt/live/myancestry.de/chain.pem -verify_other /etc/letsencrypt/live/myancestry.de/chain.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org
2021-12-02 17:56:43,743:DEBUG:certbot.display.util:Notifying user: Found the following certs:
Certificate Name: dargels.de
Serial Number: 326a84d916e1204915d8bffe07f9e9bddcb
Key Type: RSA
Domains: dargels.de collabora.dargels.de dev.dargels.de imap.dargels.de mail.dargels.de nextcloud.dargels.de ns-srv01.dargels.de smtp.dargels.de status.dargels.de stephdl.dargels.de webtop.dargels.de wp.dargels.de www.dargels.de
Expiry Date: 2022-01-19 01:58:24+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/dargels.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dargels.de/privkey.pem
Certificate Name: myancestry.de
Serial Number: 42e828677b2c16c675d69d3e62d89b602ed
Key Type: RSA
Domains: myancestry.de imap.myancestry.de mail.myancestry.de smtp.myancestry.de www.myancestry.de
Expiry Date: 2022-02-05 06:25:12+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/myancestry.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myancestry.de/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/dargels.de-0001.conf

cat /var/log/letsencrypt/letsencrypt.log.4

cat /var/log/letsencrypt/letsencrypt.log.4

2021-12-02 04:35:07,410:DEBUG:certbot._internal.main:certbot version: 1.11.0

2021-12-02 04:35:07,410:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot

2021-12-02 04:35:07,410:DEBUG:certbot._internal.main:Arguments: [’–text’, ‘–non-interactive’, ‘–agree-tos’, ‘–email’, ‘marko.dargel@gmail.com’, ‘–preferred-challenges’, ‘http’, ‘–webroot’, ‘–webroot-path’, ‘/var/www/html/’, ‘-d’, ‘dargels.de’, ‘-d’, ‘collabora.dargels.de’, ‘-d’, ‘dev.dargels.de’, ‘-d’, ‘imap.dargels.de’, ‘-d’, ‘imaps.dargels.de’, ‘-d’, ‘isi-dev.dargels.de’, ‘-d’, ‘mail.dargels.de’, ‘-d’, ‘myancestry.de’, ‘-d’, ‘nextcloud.dargels.de’, ‘-d’, ‘smtp.dargels.de’, ‘-d’, ‘smtps.dargels.de’, ‘-d’, ‘stephdl.dargels.de’, ‘-d’, ‘wp.dargels.de’, ‘-d’, ‘www.dargels.de’, ‘-d’, ‘ns-srv01.dargels.de’, ‘–preferred-chain’, ‘ISRG Root X1’, ‘–quiet’]

2021-12-02 04:35:07,410:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2021-12-02 04:35:07,441:DEBUG:certbot._internal.log:Root logging level set at 30

2021-12-02 04:35:07,442:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2021-12-02 04:35:07,442:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None

2021-12-02 04:35:07,444:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot

Description: Place files in webroot directory

Interfaces: IAuthenticator, IPlugin

Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f035db35b50>

Prep: True

2021-12-02 04:35:07,444:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f035db35b50> and installer None

2021-12-02 04:35:07,444:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None

2021-12-02 04:35:07,461:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/98774805’, new_authzr_uri=None, terms_of_service=None), 4507e00e979072793c396c2a3ee407aa, Meta(creation_host=u’ns-srv01.dargels.de’, register_to_eff=None, creation_dt=datetime.datetime(2020, 10, 8, 22, 54, 4, tzinfo=)))>

2021-12-02 04:35:07,467:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.

2021-12-02 04:35:07,474:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

2021-12-02 04:35:08,006:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658

2021-12-02 04:35:08,007:DEBUG:acme.client:Received response:

HTTP 200

content-length: 658

strict-transport-security: max-age=604800

server: nginx

connection: keep-alive

cache-control: public, max-age=0, no-cache

date: Thu, 02 Dec 2021 03:35:07 GMT

x-frame-options: DENY

content-type: application/json

{

“eIjymvhz558”: “Adding random entries to the directory - API Announcements - Let's Encrypt Community Support”,

“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,

“meta”: {

“caaIdentities”: [

letsencrypt.org

],

“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,

“website”: “https://letsencrypt.org

},

“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,

“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,

“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,

“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert

}

2021-12-02 04:35:08,020:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer <certbot._internal.cli.cli_utils._Default object at 0x7f035d239e10>

2021-12-02 04:35:08,032:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/dargels.de-0001/cert1.pem

2021-12-02 04:35:08,032:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/dargels.de-0001/chain1.pem -cert /etc/letsencrypt/archive/dargels.de-0001/cert1.pem -CAfile /etc/letsencrypt/archive/dargels.de-0001/chain1.pem -verify_other /etc/letsencrypt/archive/dargels.de-0001/chain1.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org

2021-12-02 04:35:08,258:INFO:certbot._internal.renewal:Cert not yet due for renewal

2021-12-02 04:35:08,259:INFO:certbot._internal.main:Keeping the existing certificate

2021-12-02 04:35:08,259:DEBUG:certbot.display.util:Notifying user: Certificate not yet due for renewal; no action taken.

Well, the zombie certificate is back again…

I recall something related commented on this forum (in reference to multiple domains, first domain in list, etc.)
I know @danb35 has a better grasp about this.

User Guide — Certbot 2.6.0 documentation
-d DOMAIN, --domains DOMAIN, --domain DOMAIN
Domain names to apply. For multiple domains you can
use multiple -d flags or enter a comma separated list
of domains as a parameter. The first domain provided
will be the subject CN of the certificate, and all
domains will be Subject Alternative Names on the
certificate. The first domain will also be used in
some software user interfaces and as the file paths
for the certificate and related material unless
otherwise specified or you already have a certificate
with the same name. In the case of a name collision it
will append a number like 0001 to the file path name.

Here’s some information from Let’s Encrypt Forums:

Use --cert-name mydomain.com and Certbot will overwrite the existing entry instead of creating a new one.

Without --cert-name , the new item is created whenever you request a cert for a set of names that has overlap with a previous set but isn’t a strict superset.

For example, if you first request example.com and www.example.com , and later request example.com and example.net without www.example.com , the new certificate would likely be called example.com-0001 , while the example.com cert covering www.example.com would continue to exist. That is, removing any name from the old certificate’s list will cause the generation of an -0001 cert if you don’t specify --cert-name .

The intended way to prevent this is indeed @_az’s recommendation of specifying --cert-name (this is the only way to remove a name from an existing cert’s coverage with Certbot).

I remember now my last action some time ago…
I added a new subdomain to my main-domain via Web-GUI. Maybe this action uses not the parameter --cert-name

The web form does not seem to distinguish between creating a new certificate and adding a subdomain.

But that still doesn’t answer the question of how best to deal with this situation.

ok… I used the sledgehammer

Deleted dargels.de and dargels.de-0001.de from:

/etc/letsencrypt/archive
/etc/letsencrypt/live
/etc/letsencrypt/renewal

Requested a new certificate for dargels.de via WebGui

1 Like