Can I generate a new certificate after the certificate expires?

Help
1

All * .pem files related to my site have been deleted.
The expiration date is tomorrow. Can I generate a new certificate after the certificate expires?

2

You can generate a new certificate now, you don't have to wait.

3

I tried to create a new certificate as follows, but an error occurred.

# ./letsencrypt-auto certonly --standalone -d www.xxxxxxxx.net --renew-by-default --email xxxxxxxx@gmail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.xxxxxxxx.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.xxxxxxxx.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 3533bd103892feb797f33e1d4d2eca1a.2adbe40db01a48c27deb745a507d07e1.acme.invalid from ***.***.***.***:443. Received 2 certificate(s), first certificate had names “www.xxxxxxxx.net

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.xxxxxxxx.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    3533bd103892feb797f33e1d4d2eca1a.2adbe40db01a48c27deb745a507d07e1.acme.invalid
    from ***.***.***.***:443. Received 2 certificate(s), first
    certificate had names “www.xxxxxxxx.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

4

Are you running that command on the host that serves the affected domain?

5

Yes, That is the host server.
How can I remove the certificate I am using and get a new certificate?(I can’t use “renew”)
All * .pem files associated with the certificate have been deleted.

6

Hi @asdf,

The problem you’re seeing is that --standalone can only be used while no other server is using port 443. In order to use --standalone, you need to stop any existing web server temporarily while requesting the certificate—and also while renewing it later. (If you happen to have port 80 open, there is also a way to ask --standalone to use that instead, but no other ports than 443 and 80 are allowed.)

8

I wonder why there is no error message about an already bound port.

9

I also wonder about that because there is code in Certbot to generate that error message, yet we often see people have this problem without triggering that error.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.