Certbot is removing primary domain from some of our websites

Help
1

Hi evryone,

Some of our websites ended up with a certificate missing their primary domain.
Certbot removed them because of some "DNS problem".

Why certbot have this behavior without this argument : " --allow-subset-of-names" ?
How can I prevent this from happening in the future ?
I would like Certbot to wait until the current certificate expire before it try to remove domains.

Also, can certbot notify me when a renewal fail ?

My domain is:www.eylauimmobilier.com

I ran this command (the certbot systemctl service ran this command): /usr/bin/certbot -q renew --no-random-sleep-on-renew

It produced this output:
[...]
{
"identifier": {
"type": "dns",
"value": "www.eylauimmobilier.com"
},
"status": "invalid",
"expires": "2025-05-02T15:19:31Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/540134226/510979128307/feT8CA",
"status": "invalid",
"validated": "2025-04-25T15:19:35Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "During secondary validation: While processing CAA for www.eylauimmobilier.com: DNS problem: server failure at resolver looking up CAA for www.eylauimmobilier.com"
},
"token": "2Om9DFc2XKHAcEmwlUe0yCG3KDIWEe-NOC-PjbrGTYc",
"validationRecord": [
{
"url": "http://www.eylauimmobilier.com/.well-known/acme-challenge/2Om9DFc2XKHAcEmwlUe0yCG3KDIWEe-NOC-PjbrGTYc",
"hostname": "www.eylauimmobilier.com",
"port": "80",
"addressesResolved": [
"91.121.48.37"
],
"addressUsed": "91.121.48.37"
}
]
}
]
}
[...]
2025-04-25 15:21:07,704:DEBUG:certbot._internal.display.obj:Notifying user: Unable to obtain a certificate with every requested domain. Retrying without: www.eylauimmobilier.com
[...]

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Thank you for your time !

2

Certbot should not do that if you have not stated --allow-subset-of-names

Did you use that option in the past? Because it may have been placed in the renewal config file. Or, do you have the allow-subset option in your cli.ini?

Please post the entire log file. Better is to rename it as .txt file and upload.

No, Certbot does not have that option. You could setup your own monitoring of your cert files on your server to see when they are "too old".

Or, use a monitoring system such as: Monitoring Service Options - Let's Encrypt

5 Likes
3

Thank you for your help.

I have a lot of my renewal config file with this line : "allow_subset_of_names = True".
Maybe I used --allow-subset-of-names option in the past but I don't rember that.

I removed this line evrywhere.
Thank you for the link.

2 Likes