Yes, I had initially ran the certbot renew on the new server, but the DNS had not yet been changed to point the new server. I saw this problem early on, as the error messages had the IP of the existing server in the error logs. I had my sponsor change the DNS to the new server, and things started working again (after I also added a missing line to point to the virtual host /web directory as well).
As an experiment, I deleted the stage.trupath.com entries in /archive, /live, and /renew and re-ran the dry-run. EVERYTHING completed successfully! It had to be something about the older certs.
No, I did not run without "--dry-run" as the first cert (of 12) to expire has 40 days of life left in it. Am I missing something by not doing it for real?
Here are the contents of the two Archive conf files, both non-working and working. I removed the account GUID for security, but it was identical and correct in both files.
NONWORKING
# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/staging.trupath.com
cert = /etc/letsencrypt/live/staging.trupath.com/cert.pem
privkey = /etc/letsencrypt/live/staging.trupath.com/privkey.pem
chain = /etc/letsencrypt/live/staging.trupath.com/chain.pem
fullchain = /etc/letsencrypt/live/staging.trupath.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = <GUID>
authenticator = webroot
webroot_path = /usr/local/lsws/staging.trupath.com/web
server = https://acme-v02.api.letsencrypt.org/directory
WORKING ("001 version")
# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/staging.trupath.com-0001
cert = /etc/letsencrypt/live/staging.trupath.com-0001/cert.pem
privkey = /etc/letsencrypt/live/staging.trupath.com-0001/privkey.pem
chain = /etc/letsencrypt/live/staging.trupath.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/staging.trupath.com-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = <GUID>
webroot_path = /usr/local/lsws/staging.trupath.com/web
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
No, sorry, my bad. It should be fine now that --dry-run is working.
I don't see anything different about the challenge profile in those two renewal files. The change was likely adding or removing a domain name which resulted in the -0001 file.
You could review certbot certificates on the old machine to compare to make sure you have all your domains covered on your new machine.
If your old machine LiteSpeed server used the '-0001' path that's the set of names you want on your new one. Of course, if LS did not reference the -0001 path on the old machine you won't need it on your new.
That makes sense on the adding/removing domain name being the root cause. I could find no difference that made any difference either. I REALLY appreciate the help you provided here.
