Cert would not renew


#1

I’m not quite sure what was going on here. I generated I think 7 certs at one time probably 6+ months ago, moved to a new server during that time and successfully moved my certs over. once on the new server, 6 of the 7 certs renewed properly, it seems. today 1 of the certs expired - my cdn cert, so my site was totally broken for about an hour. I’m not sure why, nor is there any error in my logs to indicate why, at least to my knowledge. even when forcing a renew, 6 of my 7 certs renewed without any issues whatsoever. what would cause this?

after messing around for a few minutes, I just generated a new cert with the exact same command that I used when initially requesting the cert: sudo ./certbot-auto certonly --email certs@mysite.com --text --renew-by-default --agree-tos --webroot -w mysite.com/public_html -d cdn.mysite.com

here’s a few questions I have: what happens to my old cert that was generated together with my 6 other certs? will there be any issues when my 6 other certs renew? with me now having 2 different certs, when my crontab runs to renew the certs, will it automatically try to renew both certs?

thanks!


#2

Hi @andrewjs18,

I’m sorry you had trouble renewing your certificate.

The other six certificates should presumably be able to renew as they did before.

The old cert that can’t be renewed should eventually expire, assuming that it’s really impossible for Certbot to renew it for some reason.

However, Certbot will never stop trying to renew an old expired certificate with certbot renew, so you will always have failed attempts, assuming Certbot can find the reference to that certificate lineage in a file within /etc/letsencrypt/renewal. It might be helpful either to figure out more about what’s going on with the renewal failure (for example, you can increase Certbot’s output verbosity with -v) or to delete all of the files and directories associated with the old certificate lineage in question from within /etc/letsencrypt.

I’m also wondering where you found the instructions for the command that you used that includes --renew-by-default. That option has been renamed because its meaning was confusing (it doesn’t mean “try to renew this certificate in the future”, as users might have thought; it means only “if possible, don’t make a completely new certificate; instead, renew an existing certificate if a matching one exists”).


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.