Attempting to renew cert from produced an unexpected error: Failed authorization procedure

I think I made a mistake and now my setup is somewhat broken. I’ve migrated domain2.de to another server and got another certificate via the hoster there. Everything is fine with this domain.
Aftwards, I’ve somehow deleted the certificate file with rm.
If I renew now the other certificates on my server, I run into the error below.
Locally on my VPS, I’ve got 3 TLDs and a few subdomains.
I assume certbot somehow has an internal database or similar where the domain2.de is still present since I’ve only deleted the certificate manually?
How would I “rebuild” this database?

It seems as if I can’t use certbot revoke:
2020-09-09 04:26:45,505:DEBUG:certbot.main:Arguments: [’–cert-name’, ‘www.domain2.de’]
2020-09-09 04:26:45,506:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-09 04:26:45,517:DEBUG:certbot.log:Root logging level set at 20
2020-09-09 04:26:45,518:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-09 04:26:45,519:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1058, in revoke
config.cert_path = storage.cert_path_for_cert_name(config, config.certname)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 64, in cert_path_for_cert_name
cert_name_implied_conf = renewal_file_for_certname(config, cert_name)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 53, in renewal_file_for_certname
“{1}).”.format(certname, path))
certbot.errors.CertStorageError: No certificate found with name www.domain2.de (expected /etc/letsencrypt/renewal/www.domain2.de.conf).

My domain is:
Two different ones

I ran this command:
certbot renew

It produced this output:
Attempting to renew cert (www.domain1.de) from /etc/letsencrypt/renewal/www.domain1.de.conf produced an unexpected error: Failed authorization procedure. www.domain2.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain2.de/.well-known/acme-challenge/ccCP9hI_ElmBMYxk7Z9u8gNsTjbMpC9RDxh-OmsCZwE [2001:8d8:100f:f000::2e8]: 204. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.de/fullchain.pem (failure)

My web server is (include version):
nginx version: nginx/1.14.2

The operating system my web server runs on is (include version):
Debian GNU/Linux 10 \n \l

My hosting provider, if applicable, is:
VPS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Good.
You don’t use REVOKE for these types of problems.

If I read you correctly, you now have a site with a cert (with two names on it).
But the cert doesn’t match the site(s) at this server.
[one domain left and is being hosted elsewhere - unrelated to this servers’ problem]

If so, then you need to renew with a subset of names.
Meaning renew the cert with only those names that can be renewed.
See the option:

image

3 Likes

Perfect, that worked just fine!
Thank you very much.

2 Likes

Excellent point @rg305. I’m only concerned that --allow-subset-of-names might not “stick” for renewal. I could be wrong.

I know this will permanently address the issue though:

The --cert-name flag can also be used to modify the domains a certificate contains, by specifying new domains using the -d or --domains flag. If certificate example.com previously contained example.com and www.example.com, it can be modified to only contain example.com by specifying only example.com with the -d or --domains flag:

certonly --cert-name example.com -d example.com

The same format can be used to expand the set of domains a certificate contains, or to replace that set entirely:

certbot certonly --cert-name example.com -d example.org,www.example.org

1 Like

Once “renewed” it all starts over.
On this round he went from two names to one.
[So there is nothing less to go to (one to zero?) in the future]
Which could review the renewal.conf file to ensure how it remains set to process the next renewal.
But I suspect the --allow-subset-of-names is a “manual one-time-use option”.

I’m sure this could have been done in several ways, I think that this was just the simplest of them.

2 Likes

17 posts were split to a new topic: Preliminary Discussions for a Handbook of Certbot Best Practices