Certbot --expand creates duplicate server settings

I have domains running properly with Certbot but whenever I run sudo certbot -d existingdomain.com,www.existingdomain.com,existingdomain2.com,www.existingdomain2.com,newdomain.com,newdomain.com --expand

It adds additional server blocks below the existing server information and crashes all the domains until I manually edit the file by deleting the extra server blocks and add the newdomain information.

I am wondering if this is because the spacing has been changed from manually updating the file? But it would be great to not have to fix the file each time I run the --expand command.

I am using certbot and nginx

Here is the before running certbot expand:

server {

    location = /favicon.ico { access_log off; log_not_found off; }

    listen 443 ssl; # managed by Certbot
    server_name ~^(www\.)?(.+)$;
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mymydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    root /home/.../.../project;

    location /static/ {
        root /home/.../.../project;
    }

    location /media/ {
        alias /home/.../.../.../media/$2/;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }







}






server {
    if ($host = www.existingdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = existingdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
    
    if ($host = www.existingdomain2.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = existingdomain2.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot 








    listen 80;
    server_name 12.345.678.90 existingdomain.com *.existingdomain.com existingdomain2.com www.existingdomain2.com;
    return 404; # managed by Certbot

After running

sudo certbot -d existingdomain.com,www.existingdomain.com,newdomain.com --expand

It produced this output:

server {

    location = /favicon.ico { access_log off; log_not_found off; }

    listen 443 ssl; # managed by Certbot
    server_name ~^(www\.)?(.+)$;
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    root /home/.../.../project;

    location /static/ {
        root /home/.../.../project;
    }

    location /media/ {
        alias /home/.../.../project/media/$2/;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }









}






server {
    if ($host = www.existingdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = existingdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
    
    if ($host = www.existingdomain2.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = existingdomain2.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot 
    server_name 12.345.678.90 existingdomain.com *.existingdomain.com existingdomain2.com www.existingdomain2.com;
    return 404; # managed by Certbot
















    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

















}







server {
    if ($host = www.existingdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = existingdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
    
    if ($host = www.existingdomain2.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = existingdomain2.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot 










    listen 80;
    server_name 12.345.678.90 existingdomain.com *.existingdomain.com existingdomain2.com www.existingdomain2.com;
    return 404; # managed by Certbot

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 18.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Can you provide more detail? Exactly what error do you get?

I notice in both the “before” and “after” configs that your last server block is missing a closing brace. Is that true in your configs on disk, or was that a copy-paste error?

Copy and paste error regarding that last missing closing brace.

When I run --expand I end up getting a 500 error on all domains. In other words none of the websites will load at all because the server block gets duplicated which goes away when I manually update the file. expand also does not appear to be adding the new domain names to that file. The certifications are fine its just the sites-available file that isn’t updated correctly. I wonder if there is someway that I can delete the sites-available file and recreate it with some certbot command or if there is just too many spaces in the file that causes it to try and create a new server block. I’m not sure. Perhaps it also could have something to do with using multiple domain names? I am not sure how to proceed.

1 Like

What kind of 500 error?

If the Nginx config is broken, it should either still be running with the old config, or stopped.

So it should either work normally (probably with an older certificate) or you should be getting “Connection refused”.

1 Like

Ah, I just noticed you have this as your server_name line:

    server_name ~^(www\.)?(.+)$;

I’m pretty sure Certbot doesn’t handle regex-style server_name. I didn’t even know it was possible until now!

I think that means when you ask Certbot to add a new server_name, rather than noticing it’s already served by the existing server block, it puts the new domain in a new server block.

Probably the easiest way around this is to use the certonly subcommand, i.e. sudo certbot certonly --expand -d ...

Certbot does have at least basic support for regex server names. (The code is here if you’re curious.)

I tried to reproduce this but failed to do so. Can you provide a full log from a run of Certbot (stored in /var/log/letsencrypt by default) showing this problem? Feel free to redact emails and IP addresses as you deem appropriate.

1 Like

I have that regex working on a test server and it works fine. So I don’t think its that but I will try the certonly command and see if it works

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.