Share via:

Fixing Unwanted 0001 Letsencrypt Certificates

Removing messed up certificates from letsencrypt manually and requesting a clean certificate.

36 views

Edited: 2019-11-01 02:59

Sometimes if you have made changes to the domains covered by your lets encrypt certificates you might get unwanted folders such as example.com-0001 located in /etc/letsencrypt/, and this might have the unfortunate effect that the certificate you are linking to from Postfix (SMTP server) and/or Dovecot (IMAP server) configuration can be incorrect. This will likely result in invalid certificate errors when users try to connect from their e-mail clients (I.e. Thunderbird or Outlook).

This article assumes you are using an Apache Virtual Host setup, but it might also be useful for other servers. Just ignore the Apache-specific parts.

Solving this problem is easy, and can done in a few ways. The easiest way may be to simply delete the certificates and request new ones. Another way is to move the certificates and delete the outdated ones, but this requires you to manually edit your Virtual Hosts and other configuration files, to link to the right certificates.

Removing the 0001 directories

In my case, I simply deleted the example.com certificates from the live, archive, and renewal directories, like so:

sudo su
rm -R /etc/letsencrypt/live/*example.com*
rm -R /etc/letsencrypt/archive/*example.com*
rm -R /etc/letsencrypt/renewal/*example.com*

This will both remove subdomains directories and directories with the -0001 ending, as well as the bare domain (example.com). The -R parameter makes it recursive, so it also deletes directories.

Before you take this next step, be sure to copy any manually added modifications in your *-le-ssl.conf files to the standard example.com.conf files.

Note. These files are located in /etc/apache2/sites-available/.

Finally we should remove the old *-le-ssl.conf files, since they are now linking to non-existent certificates. To do this, remove example.com-le-ssl.conf from the /etc/apache2/sites-available/ and /etc/apache2/sites-enabled/ directories.

rm -R /etc/apache2/sites-enabled/*example.com-le-ssl.conf
rm -R /etc/apache2/sites-available/*example.com-le-ssl.conf

Note. The files might be named differently on your server. The best way to find out what they are named is to navigate to your sites-available folder:

cd /etc/apache2/sites-available/
ls

Do not worry. The SSL configuration files will be re-created by lets encrypt automatically when you request the new certificate'(s). This time, carefully consider which domains you want to include in the certificate.

To request a new certificate, type the below command in your terminal and select the domains you want included when asked:

letsencrypt

Comments