This article refers to a Letsencrypt client as installed by
sudo apt-get install python-letsencrypt-apache. Up until quite recently, this was the recommended Letsencrypt installation for Ubuntu Xenial 16.04.
Insurance: Make a Backup!
Backup the entire
/etc/letsencrypt directory - recursively copy the entire
If you mess up during the process of certificate reorganisation, revert to the original and save the broken state for reference:
Determine certificate lineages by listing out the domains associated with each certificate - look in subdirectories under
See additional information for a breakdown of this command.
Remove a Superfluous Certificate
We determine that the example.com cert is superfluous, and holds references to invalid domains. The cert is not being used, but generates ugly error messages during the renewal dry-run.
Be careful - make sure the cert is not being referenced in any Virtual Host directives.
If you are sure it’s safe, remove it and run the renewal process:
I haven’t attempted this - but running the following should install a new certificate:
If your virtual hosts for the specified domains are referencing certs like so:
…the new cert should work.
OpenSSL is an open source toolkit for the SSL and TLS network protocols and related cryptography standards, accessed with the -
openssl utility. The
x509 command provides utilities for displaying, converting and signing certificates. Summary of the above command:
-in filename: the input filename to read from (standard input if not specified)
-text: print the certificate in text form
-noout: prevent output of the encoded version of the request
The text form output includes full details - public key, signature algorithms, issuer & subject names, serial number, extensions present, any trust settings and the DNS records covered by the certificate. In the context of this article, we’re only interested in the certificate lineage/associated domains - so the
openssl x509 command is piped to
grep DNS to output the DNS data only.
comments powered by Disqus