Can't renew certificate--I've confused the domains

[I am a new user with limited capabilities. When I tried to submit the full report, I was told I had more than 20 links. I only found two full links starting with http[s], so now I am truncating the message to try to get something I can submit.]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. [removed link]), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: phrancko.com

I ran this command: certbot certificates

It produced this output:
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/phrancko.com-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.


Found the following certs:
Certificate Name: phrancko.com
Domains: phrancko.com blog.phrancko.com www.phrancko.com
Expiry Date: 2019-10-13 15:50:25+00:00 (VALID: 9 days)
Certificate Path: /etc/letsencrypt/live/phrancko.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/phrancko.com/privkey.pem
Certificate Name: www.phrancko.com
Domains: www.phrancko.com phrancko.com
Expiry Date: 2019-12-22 21:19:07+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/www.phrancko.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.phrancko.com/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/phrancko.com-0001.conf


My web server is (include version):
apache 2.4 (I think)

The operating system my web server runs on is (include version):
I’m running on AWS. The contents of cat /etc/os-release:
NAME=“Amazon Linux”
VERSION=“2”
ID=“amzn”
ID_LIKE=“centos rhel fedora”
VERSION_ID=“2”
PRETTY_NAME=“Amazon Linux 2”
ANSI_COLOR=“0;33”
CPE_NAME=“cpe:2.3:o:amazon:amazon_linux:2”
HOME_URL="/"

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.26.1

I have successfully renewed the certification for www.phrancko.com but the certification for phrancko.com fails. I see from the above output (if I understand it correctly) that my attempt some time in the past to have one certificate that controls both of those domains resulted in two different certificates…

  • one for the domains phrancko.com blog.phrancko.com www.phrancko.com
  • and the other for www.phrancko.com phrancko.com
    As you see the output shows the first certificate needs to be renewed, the second one does not. The domain blog.phrancko.com was never used so earlier today I backed up the letsencrypt directory and ran certbot --name-only blog.phrancko.com delete (I think it was). Even though it first gave an error message about now renewal directory, it did in fact delete all the other directories that had that name.
    So being brave, I tried to delete the entire certificate phrancko.com, hoping that the second certificate for both the live domains would remain and certification would no longer need renewing. However, when I restarted the server, httpd failed to start and told me to run the following command and go this output:

[truncated here…maybe I can send the rest when you respond]

1 Like

[Here is the truncated part of my first message. Maybe the system will let me add this here.]

systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: failed (Result: exit-code) since Thu 2019-10-03 23:14:48 UTC; 24s ago
Docs: man:httpd.service(8)
Process: 16100 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
Process: 17392 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 17392 (code=exited, status=1/FAILURE)
Oct 03 23:14:48 ip-10-0-0-230.us-west-2.compute.internal systemd[1]: Starting The Apache HTTP Se…
Oct 03 23:14:48 ip-10-0-0-230.us-west-2.compute.internal httpd[17392]: httpd: Syntax error on lin…
Oct 03 23:14:48 ip-10-0-0-230.us-west-2.compute.internal systemd[1]: httpd.service: main process…E
Oct 03 23:14:48 ip-10-0-0-230.us-west-2.compute.internal systemd[1]: Failed to start The Apache …
Oct 03 23:14:48 ip-10-0-0-230.us-west-2.compute.internal systemd[1]: Unit httpd.service entered …
Oct 03 23:14:48 ip-10-0-0-230.us-west-2.compute.internal systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

Since the website was now down, I restored /etc/letsencrypt from the backup I had saved and restarted httpd successully. But now I am back to where I started, needing to update a certificate that fails to update.

Here is the output of: certbot renew

certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/phrancko.com.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for phrancko.com

http-01 challenge for www.phrancko.com

http-01 challenge for blog.phrancko.com

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (phrancko.com) from /etc/letsencrypt/renewal/phrancko.com.conf produced an unexpected error: Failed authorization procedure. blog.phrancko.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for blog.phrancko.com. Skipping.


Processing /etc/letsencrypt/renewal/www.phrancko.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/phrancko.com-0001.conf


Traceback (most recent call last):

File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 64, in _reconstitute

renewal_candidate = storage.RenewableCert(full_path, config)

File “/usr/lib/python2.7/site-packages/certbot/storage.py”, line 420, in init

“file reference”.format(self.configfile))

CertStorageError: renewal config file {} is missing a required file reference

Renewal configuration file /etc/letsencrypt/renewal/phrancko.com-0001.conf is broken. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/phrancko.com/fullchain.pem (failure)


The following certs are not due for renewal yet:

/etc/letsencrypt/live/www.phrancko.com/fullchain.pem expires on 2019-12-22 (skipped)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/phrancko.com/fullchain.pem (failure)

Additionally, the following renewal configuration files were invalid:

/etc/letsencrypt/renewal/phrancko.com-0001.conf (parsefail)


1 renew failure(s), 1 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: blog.phrancko.com

Type: None

Detail: DNS problem: NXDOMAIN looking up A for blog.phrancko.com

1 Like

:slight_smile: This warms my heart.

First, I think it is a good idea to establish which certificates Apache is actually currently using.

After we know that, we will know which ones can be safely deleted without breaking your setup.

One way to figure this out is to run:

grep -Ri sslcertificatefile /etc/httpd
3 Likes

Hi @Phrancko

checking your domain there is no A-record blog - https://check-your-website.server-daten.de/?q=blog.phrancko.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
blog.phrancko.com Name Error yes 1 0
www.blog.phrancko.com Name Error yes 1 0

So http validation can’t work.

So you have two options:

  • Add an A-record again (but if you don’t need the blog, that’s not good)
  • create a certificate with the same certificate name (overrides the existing) and two domain names:
certbot -d phrancko.com -d www.phrancko.com --cert-name phrancko.com

would do that.

But if you don’t need the blog, you can use your other certificate.

So use something like

certbot --cert-name www.phrancko.com --reinstall

to see, if Certbot is able to install the other certificate.

If the certificate with three names isn’t longer used, you can delete it (certbot delete certificate-name).

Check

1 Like

Thank you for the prompt response. I think I am almost there except for a little cleanup. I did not need the blog.phrancko.com so I did not add an A record. I chose to use the other certificate. I did the --reinstall as you suggested, which succeeded the second time. (The first time I chose the option to redirect all HTTP to HTTPS and that seemed to make it fail.) But I restarted httpd again and it worked. So I made another quick backup and then executed:
certbot delete --cert-name phrancko.com
and restarted it again, and it works! Yay!

However I get this output to certbot certificates:

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/phrancko.com-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.


Found the following certs:
Certificate Name: www.phrancko.com
Domains: www.phrancko.com phrancko.com
Expiry Date: 2019-12-22 21:19:07+00:00 (VALID: 78 days)
Certificate Path: /etc/letsencrypt/live/www.phrancko.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.phrancko.com/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/phrancko.com-0001.conf


Here are the files in the renewals directory:

ll

total 4
-rw-r–r-- 1 root root 0 Oct 3 23:29 phrancko.com-0001.conf
-rw-r–r-- 1 root root 520 Oct 3 23:29 www.phrancko.com.conf

Should I just delete the one that causes the error message? (Sorry it that’s a silly question. I’m trying to be very cautious, especially since it is now working.)

Frank

1 Like

I finally noticed it was zero bytes, so I deleted it and all is fine now. Thanks so much for your help!

Frank

1 Like

Happy to read that it had worked. :+1:

Make a backup (in such a situation, it’s enough to copy these files to another place), then you can delete them. Restart your webserver to see, if the file isn’t used -> if yes, then all is ok.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.