Reorganise Letsencrypt Certificates
SSL, Sysadmin
This article refers to a Letsencrypt client as installed by sudo apt-get install python-letsencrypt-apache
. Up until quite recently, this was the recommended Letsencrypt installation for Ubuntu Xenial 16.04.
Insurance: Make a Backup!
Backup the entire /etc/letsencrypt
directory - recursively copy the entire letsencrypt
directory:
If you mess up during the process of certificate reorganisation, revert to the original and save the broken state for reference:
Certificate Lineage
Determine certificate lineages by listing out the domains associated with each certificate - look in subdirectories under /etc/letsencrypt/live
:
See additional information for a breakdown of this command.
Remove a Superfluous Certificate
We determine that the example.com cert is superfluous, and holds references to invalid domains. The cert is not being used, but generates ugly error messages during the renewal dry-run.
Be careful - make sure the cert is not being referenced in any Virtual Host directives.
If you are sure it’s safe, remove it and run the renewal process:
Reissue Certificate
I haven’t attempted this - but running the following should install a new certificate:
If your virtual hosts for the specified domains are referencing certs like so:
…the new cert should work.
Additional Information
OpenSSL is an open source toolkit for the SSL and TLS network protocols and related cryptography standards, accessed with the - openssl
utility. The x509
command provides utilities for displaying, converting and signing certificates. Summary of the above command:
-in filename
: the input filename to read from (standard input if not specified)-text
: print the certificate in text form-noout
: prevent output of the encoded version of the request
The text form output includes full details - public key, signature algorithms, issuer & subject names, serial number, extensions present, any trust settings and the DNS records covered by the certificate. In the context of this article, we’re only interested in the certificate lineage/associated domains - so the openssl x509
command is piped to grep DNS
to output the DNS data only.
References
- This article is largely based on the very useful answer on Letsencrypt discourse by pfg
- openssl x509 man page
comments powered by Disqus