Certbot creates a certificate with "wwww" instead of a bare domain one - unlike before


I’ve been creating certificates this way for over a year:

export website="my_domain1111.com"
sudo certbot certonly --standalone -d $website -d www.$website --email hello@$website

and it’s always created one for $website


Today for some reason it created a one with “www” instead of a bare domain

export website="another_my_domain222.com"
sudo certbot certonly --standalone -d $website -d www.$website --email hello@$website

# =>>>

Why? has there been any change recently in certbot?

I’ve tried changing the order of the “-d” params - the same effect:

sudo certbot certonly --standalone  -d www.$website -d $website --email hello@$website

/etc/letsencrypt/live/www.another_my_domain222.com # with "www"

Version - 0.25


Certbot hasn’t changed.

What are the real domains?

What did Certbot output?

Alternately, what’s in /var/log/letsencrypt/letsencrypt.log?

Is there anything in /etc/letsencrypt/cli.ini?

What does “sudo certbot certificates” output?

If there was an older certificate for only “www.another_my_domain222.com” (for some reason), and you created a new certificate for "another_my_domain222.com and www.another_my_domain222.com", it would reuse the existing /etc/letsencrypt/live/www.another_my_domain222.com/ directory by default. I think that’s most likely what happened.


It printed out Congratulations!


If you want to force the resulting certificate to be in /etc/letsencrypt/live/another_my_domain222.com, you can also add the Certbot command-line option --cert-name another_my_domain222.com. This will prevent Certbot from reusing any pre-existing Certbot-managed certificate that covers all or a subset of the requested names.


What was the rest of the output?


The same output as before.


Here it is:

  $ website="my_website123.com"
  $ sudo certbot certonly --standalone -d $website -d www.$website --email admin@$website           
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator standalone, Installer None
  Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
  Cert not yet due for renewal

  You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
  (ref: /etc/letsencrypt/renewal/www.my_website123.com.conf)

  What would you like to do?
  1: Keep the existing certificate for now
  2: Renew & replace the cert (limit ~5 per 7 days)
  Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
  Renewing an existing certificate
  Performing the following challenges:
  http-01 challenge for my_website123.com
  http-01 challenge for www.my_website123.com
  Waiting for verification...
  Cleaning up challenges

   - Congratulations! Your certificate and chain have been saved at:
     Your key file has been saved at:
     Your cert will expire on 2018-10-18. To obtain a new or tweaked
     version of this certificate in the future, simply run certbot
     again. To non-interactively renew *all* of your certificates, run
     "certbot renew"
   - If you like Certbot, please consider supporting our work by:

     Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
     Donating to EFF:                    https://eff.org/donate-le

Why did it create one for “www” instead of the bare domain?

On all my own servers this exactly command has always created a cert. without “www” - this is what I need. I even tried yesterday – without “wwww”.

How can I make it create a cert. without “www”?


It didn’t—one for www instead of the bare domain already existed, so it used that one.

When run without --cert-name, Certbot will always use any existing certificate that covers all of the requested domains as the basis for a possible renewal. Here, it found an existing certificate that covered all of the requested domains and so it used that one as the basis for the renewal, including maintaining the cert name of the existing certificate.


how was the “www” created in the first place?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.