For a given virtualhost, when I use Letsencrypt from the Server Configuration -> SSL Certificate -> Let's Encrypt -> Request Certificate button, the system spins and whirrs and spits out a few files.
This is where’s I’m confused.
The current certificate (CA, Key, Cert) for the virtual server is placed in /home/<user>/domains/subdomain.domain.com as ssl.cert, ssl.key, and ssl.ca, along with a few other variations.
The /etc/letsencrypt/live folder is a different story. It contains a myriad of files for each virtual server on my system, like:
Let’s Encrypt documentation expresses that Apache needs the full path to the /etc/letsencrypt/live/.../fullchain.pem file to satisfy the SSLCertificateKeyFile directive, yet in the virtual server’s apache *.conf file, the directive points to the other folders (/home//domains/…/ssl.cert).
In addition to that, there a) a bunch of folders under /let/letsencrypt for virtual servers that no longer exist, and b) duplicates of many servers that DO exist with appended sequential numbers after the .com, like .com-0001, .com-0002, etc.
I’d like to clean things up, but I need to understand what’s going on here that Virtualmin is doing that’s proprietary to Virtualmin.
The -0001, -0002 thing has always happened to me (manually using certbot) when a new request for a domain (and possibly extra SANs, if you’ve included them) is successful, but the certificate is ‘partially overlapping’. Usually it’s when a combination of domains in your latest request did not exactly match those for a prior request where the primary domain name was the same.
As the requests weren’t identical, certbot does not overwrite the new one with the old, instead it increments the newly obtained certificate name with a -0001 to distinguish it.
To clean this up, you need to use certbot to delete the new -0001 and -0002 request, then delete the original certificate from the letsencrypt store, then make a fresh request for a cert.
certbot certificates at an SSH prompt should indicate the duplicates.
if I were sorting this manually, I would use certbot with certbot unregister using the output from the certificates command. I’m not sure how Webmin will take this, but it’s probably OK as you can just generate another LE request from the web interface and certbot will handle the deployment.