Fixing Unwanted 0001 Letsencrypt Certificates

Removing messed up certificates from letsencrypt manually and requesting a clean certificate.

2303 views
d

By. Jacob

Edited: 2022-07-28 20:56

Sometimes if you have made changes to the domains covered by your lets encrypt certificates you might get unwanted folders such as example.com-0001 located in /etc/letsencrypt/, and this might have the unfortunate effect that the certificate you are linking to from Postfix (SMTP server) and/or Dovecot (IMAP server) configuration can be incorrect. This will likely result in invalid certificate errors when users try to connect from their e-mail clients (I.e. Thunderbird or Outlook).

This article assumes you are using an Apache Virtual Host setup, but it might also be useful for other servers. Just ignore the Apache-specific parts.

Solving this problem is easy, and can done in a few ways. The easiest way may be to simply delete the certificates and request new ones. Another way is to move the certificates and delete the outdated ones, but this requires you to manually edit your Virtual Hosts and other configuration files, to link to the right certificates.

Removing the 0001 directories

In my case, I simply deleted the example.com certificates from the live, archive, and renewal directories, like so:

sudo su
rm -R /etc/letsencrypt/live/*example.com*
rm -R /etc/letsencrypt/archive/*example.com*
rm -R /etc/letsencrypt/renewal/*example.com*

This will both remove subdomains directories and directories with the -0001 ending, as well as the bare domain (example.com). The -R parameter makes it recursive, so it also deletes directories.

Before you take this next step, be sure to copy any manually added modifications in your *-le-ssl.conf files to the standard example.com.conf files.

Note. These files are located in /etc/apache2/sites-available/.

Finally we should remove the old *-le-ssl.conf files, since they are now linking to non-existent certificates. To do this, remove example.com-le-ssl.conf from the /etc/apache2/sites-available/ and /etc/apache2/sites-enabled/ directories.

rm -R /etc/apache2/sites-enabled/*example.com-le-ssl.conf
rm -R /etc/apache2/sites-available/*example.com-le-ssl.conf

Note. The files might be named differently on your server. The best way to find out what they are named is to navigate to your sites-available folder:

cd /etc/apache2/sites-available/
ls

Do not worry. The SSL configuration files will be re-created by lets encrypt automatically when you request the new certificate'(s). This time, carefully consider which domains you want to include in the certificate.

To request a new certificate, type the below command in your terminal and select the domains you want included when asked:

letsencrypt

Tell us what you think:

Gordon

Just wanted to say thanks for posting this. I ran into this and tried only deleting files under "live" and still didn't work, but after deleting files under all three folders it worked! Thank you!

Raffael

You can also have the certbot application itself delete those 0001 certificates, including all relevant directories, like this:

certbot delete --cert-name example.com-0001

This is faster and feels safer to me than manually deleting directories managed by certbot.

Fabrice

>>You can also have the certbot application itself delete those 0001 certificates, including >>all relevant directories, like this:

>>certbot delete --cert-name example.com-0001

>>This is faster and feels safer to me than manually deleting directories managed by certbot.

T H I S. Thanks alot kind sir.

  1. How to configure a SMTP server with letsencrypt on an amazon EC2 instance.
  2. How to configure Postfix to use Lets Encrypt certificates.

More in: Lets Encrypt