Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: 66tr.ee
I ran this command: sudo certbot --apache
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 66tr.ee
2: proxy.66tr.ee
3: rooms.66tr.ee
4: upload.66tr.ee
5: www.66tr.ee
6: xmpp.66tr.ee
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Renewing an existing certificate for 66tr.ee and 5 more domains
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/66tr.ee/fullchain.pem
Key is saved at: /etc/letsencrypt/live/66tr.ee/privkey.pem
This certificate expires on 2022-03-30.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for 66tr.ee to /etc/apache2/sites-enabled/66tr.ee.conf
Successfully deployed certificate for proxy.66tr.ee to /etc/apache2/sites-available/proxy.66tr.ee-le-ssl.conf
Successfully deployed certificate for rooms.66tr.ee to /etc/apache2/sites-available/rooms.66tr.ee-le-ssl.conf
Successfully deployed certificate for upload.66tr.ee to /etc/apache2/sites-available/upload.66tr.ee-le-ssl.conf
Successfully deployed certificate for www.66tr.ee to /etc/apache2/sites-enabled/66tr.ee.conf
Successfully deployed certificate for xmpp.66tr.ee to /etc/apache2/sites-available/xmpp.66tr.ee-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
My web server is (include version): Apache/2.4.41
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0
So why am I posting this? Well by the output above, it looks like all my certs renewed. When I go to my site and view the certs on the subdomains in browser they are there and refreshed for 90 days. Awesome I'm absolutely delighted that I finally got them to renew without touching DNS and with a single command. This is still improvement and I'm very happy about it. But when I issue: sudo certbot certificates I see something I didn't expect:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: 66tr.ee
Serial Number: 30ec872eb5744fdef70f4871885ed0e277f
Key Type: RSA
Domains: 66tr.ee proxy.66tr.ee rooms.66tr.ee upload.66tr.ee www.66tr.ee xmpp.66tr.ee
Expiry Date: 2022-03-30 19:02:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/66tr.ee/fullchain.pem
Private Key Path: /etc/letsencrypt/live/66tr.ee/privkey.pem
Certificate Name: proxy.66tr.ee
Serial Number: 49929e855ea5d003336848534d54d003641
Key Type: RSA
Domains: proxy.66tr.ee turn.66tr.ee upload.66tr.ee
Expiry Date: 2021-04-09 19:08:51+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/proxy.66tr.ee/fullchain.pem
Private Key Path: /etc/letsencrypt/live/proxy.66tr.ee/privkey.pem
Certificate Name: rooms.66tr.ee
Serial Number: 404bcced82aed7e3db9784148783cfc991a
Key Type: RSA
Domains: rooms.66tr.ee upload.66tr.ee
Expiry Date: 2021-10-07 01:14:22+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/rooms.66tr.ee/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rooms.66tr.ee/privkey.pem
Certificate Name: turn.66tr.ee
Serial Number: 453497e5c17a1feeb3f62e2e4fab34b618b
Key Type: RSA
Domains: turn.66tr.ee
Expiry Date: 2021-07-08 20:21:38+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/turn.66tr.ee/fullchain.pem
Private Key Path: /etc/letsencrypt/live/turn.66tr.ee/privkey.pem
Certificate Name: upload.66tr.ee
Serial Number: 33bddb0093d0bd2b0181c45b1d9e377da2e
Key Type: RSA
Domains: upload.66tr.ee
Expiry Date: 2022-01-04 23:19:34+00:00 (VALID: 5 days)
Certificate Path: /etc/letsencrypt/live/upload.66tr.ee/fullchain.pem
Private Key Path: /etc/letsencrypt/live/upload.66tr.ee/privkey.pem
Certificate Name: xmpp.66tr.ee
Serial Number: 40cc80cca2f61f700e105a2f9e63048a208
Key Type: RSA
Domains: xmpp.66tr.ee
Expiry Date: 2022-01-25 00:41:23+00:00 (VALID: 25 days)
Certificate Path: /etc/letsencrypt/live/xmpp.66tr.ee/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xmpp.66tr.ee/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
It only renewed the cert that contained all the subdomains. In my previous attempts I made some certificates for other subdomains I thought I needed such as turn.66tr.ee. After that I tried renew them certificates at once but it made a single certificate. Not sure how relevant that last bit is.
Today this is what I was trying to accomplish: renew all existing certificates without using DNS. I used the Apache plugin to do this. I expected all certificates listed by sudo certbot certificates to renew.
Can someone explain where I went wrong here? I set up subdomains in apache along with directories I thought I needed for example: /var/www/rooms.66tr.ee/.well-known/acme-challenge/. I did this for every subdomain so they matched every subdomain excluding the now defunct "turn.66tr.ee".
I was originally setting this up to use the webroot plugin instead of the apache plugin. When I attempted to use the Apache plugin and noticed that all "sites-enabled" were listed there, everything seemed like it was good to go. It may not be obvious from the output, but I just pressed Enter when it asked Which names would you like to activate HTTPS for? I thought it would renew them all. This is why I am surprised it only renewed the first certificate.
Did I successfully set up automated renewal for my multi-subdomain certificate named "66tr.ee" here? How do I verify that?
Sorry for this mess of a post. I'm just trying to understand the differences between the apache and webroot plugins. I want it as automatic as possible. A little downtime with apache is fine for my needs. Ideally, I'd just like all my certificates to renew without intervention using my apache server. (and also only two certificates structured like this [66tr.ee](containing 66tr.ee,www.66tr.ee) and [xmpp.66tr.ee](containing proxy.66tr.ee, rooms.66tr.ee, upload.66tr.ee, xmpp.66tr.ee) but I feel that needs a whole other post.)
Thank you for reading this monstrosity. I appreciate your time and any insight you have to clear up my confusion. PS: Happy New Year!