Certbot issues certificate for only a single domain on Renewal - [BUG]

accessviolation · June 8, 2017, 2:54pm

Please fill out the fields below so we can help you better.

My domain is:
clay.example.com,clay-dev.example.com

I ran this command:
Arguments: [’–standalone’, ‘–email’, ‘info@example.com’, ‘–agree-tos’, ‘–standalone-supported-challenges’, ‘http-01’, ‘–renew-by-default’, ‘–text’, ‘–verbose’, ‘–renew-with-new-domains’, ‘–server’, ‘https://acme-v01.api.letsencrypt.org/directory’, ‘–cert-name’, ‘clay.example.com’, ‘-d’, ‘clay.example.com,clay-dev.example.com’]

It produced this output:
onating to EFF: https://eff.org/donate-le
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

If you like Certbot, please consider supporting our work by:
renew"
non-interactively renew all of your certificates, run "certbot
certificate in the future, simply run certbot again. To
expire on 2017-09-06. To obtain a new or tweaked version of this

My web server is (include version):
Custom web server

The operating system my web server runs on is (include version):
Ubuntu 16

My hosting provider, if applicable, is:
Not applicable

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

What happens is, after the command completes, only the first certificate clay.example.com is generated. Infact i removed the flag --renew-with-new-domains and it will fail and ask t hat i actually agree to add new domains to the already existing certificate. I am running this code inside the docker image “quay.io/letsencrypt/letsencrypt:latest”

Initially i created a certificate clay-dev.example.com and later on i wanted to create one certificate with the following two domains clay.example.com,clay-dev.example.com. But i am unable to accomplish this.

Thanks for your help.

danb35 · June 8, 2017, 4:19pm

The way to get multiple hostnames is with multiple -d flags. So it would be -d clay.example.com -d clay-dev.example.com.

accessviolation · June 8, 2017, 4:20pm

That was what i was doing before. Also not working and i then switched to the above format.

schoen · June 8, 2017, 6:15pm

Hi @accessviolation,

I might have misunderstood your problem, but I’m not sure if you realized that every time you run Certbot you always only get a single certificate. When you use multiple -d flags, the certificate that you get will be valid for all of those domains as subject alternative domains. Nonetheless, the certificate name will not reflect this in any way. If you need multiple separate certificates for some reason, you need to run Certbot separately for each certificate.

accessviolation · June 8, 2017, 6:36pm

Correct that is what i am also expecting as well. Infact it is working for other combination of domains but for the above two combination of domains, the certificate that is generated does not contain the subject alternative domains. This is the problem i am reporting. I am not expecting multiple certificates for the combination of domains. I want just one one certificate after using the multiple -d flag.

schoen · June 8, 2017, 7:50pm

That’s pretty strange! Could you share the domains or the certificate itself, as well as the associated log file from /var/log/letsencrypt?

There is an option called --allow-subset-of-domains which would allow the behavior that you’re reporting, but this option should be off by default.

accessviolation · June 8, 2017, 9:41pm

Sure.

IMPORTANT NOTES:

Donating to EFF: https://eff.org/donate-le
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

Reporting to user: If you like Certbot, please consider supporting our work by:
Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/clay.example.com/fullchain.pem. Your cert will expire on 2017-09-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew"
Writing new config /etc/letsencrypt/renewal/clay.example.com.conf.new.
Writing full chain to /etc/letsencrypt/archive/clay.example.com/fullchain13.pem.
Writing chain to /etc/letsencrypt/archive/clay.example.com/chain13.pem.
Writing certificate to /etc/letsencrypt/archive/clay.example.com/cert13.pem.
Writing new private key to /etc/letsencrypt/archive/clay.example.com/privkey13.pem.
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:58 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:58 GMT
Strict-Transport-Security: max-age=604800
X-Frame-Options: DENY
Replay-Nonce: K6GcLTY_LD9wCXrNPQa7Zfd4XE6z5fLz1EpV0VS-Wr8
Boulder-Request-Id: ac_b1hbCiWCigMh3coa8iq-3aVY1FaPBEyOAgv6338Y
Content-Length: 1174
Content-Type: application/pkix-cert
Server: nginx
HTTP 200
Received response:
https://acme-v01.api.letsencrypt.org:443 “GET /acme/issuer-cert HTTP/1.1” 200 1174
Sending GET request to https://acme-v01.api.letsencrypt.org/acme/issuer-cert.
Storing nonce: 5hV8l9pllUdFiPH6bbvCFBkB4GNhe1k6Q7TCnLJJdoc
MIIFATCCA+mgAwIBAgISA2kbIlqwQS9JmHYLwzVI+94bMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MDgxMjU1MDBaFw0xNzA5MDYxMjU1MDBaMBoxGDAWBgNVBAMTD2RmbC5hcHBsb2Z0LmJpejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPtNw9KayGsh4SI7m6flShQaF8u6w0Iwrv4WyMp2Rf7RwBhA0zlXIjFsy7Qna3vgt4QIBYiK7QQ4JM7Bxjlr0ZVfRd0hkvwKgXrm7QLm3auRYFTUAcbzzQPz5Iisyf2s8WltIf3RRqY/AksCajmyOS05ciqPXjTpGw11rmFx75+2OWcnD/OJSpuZ8fsYiXCUjx29znrBQW9C/WG0lGFLuiaQ4MQeaTKHLbmO1j4vhGQphar8w6LQPQY3Dv6q8E20Aa+fZT7Y2EqsZfN9h3cs5V2L7i1irPpZiAxtdu0XP1XWGLfN/v3INYj8gdW7yq1kBFmGt1wAWvP6YZgV+7jemdMCAwEAAaOCAg8wggILMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUta0bj0vx8lS3UHMYbARuZh4T3q4wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAaBgNVHREEEzARgg9kZmwuYXBwbG9mdC5iaXowgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAAVZyeFbF5WsdrqVKFWl9b07m10SKiybmBPRDWlwAHWhynznDfCSpCVQP3v/0HiF5PLKYTQo9++Vdz6iDGEEFj5WQmCmZLQQXFhIaCwIHwvIPdG0DZzFWhTNByI08TePXZm12uCtHZ30kpRnA55cCDdt+TgspK3tdb6LJHWMAcDqCAKiwBQ8cIjqS9Rao1ePFoVVvI73KRSH3T6TIeZA+x5SrlY9RMny1OQwl2+vxgR8NAM5hwl4gcWOFIJwOmKAMc/XKUBwYZD3Dad9wC8Ov2/+MDw5roLMebzQIImoEXA5r2tgmcZzWF/5jESTBKe3XL8vGX6USx8VRZHZgMRrQaw==

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:58 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:58 GMT
Strict-Transport-Security: max-age=604800
X-Frame-Options: DENY
Replay-Nonce: 5hV8l9pllUdFiPH6bbvCFBkB4GNhe1k6Q7TCnLJJdoc
Location: https://acme-v01.api.letsencrypt.org/acme/cert/03691b225ab0412f4998760bc33548fbde1b
Link: ;rel="up"
Boulder-Requester: 1552508
Boulder-Request-Id: WUiTfx7a8ucfeLM9ypeF47VhxpoQzOq6XAymUuR1_Eo
Content-Length: 1285
Content-Type: application/pkix-cert
Server: nginx
HTTP 201
Received response:
https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-cert HTTP/1.1” 201 1285
}
“signature”: “HNtZo-ELFiIopgEnUQY2X3BtNHdrEEqAzzC0pC-xop1n9Q1nw3ZnlNLKPe7rFsqDl9SuS6Ld5Qh18RDl-vUxb6V5GZPbE9-qBhArWklUwiWE_b77H0exDwQ0I3YQBnlkTUx0Lu3fphZvlV_P7CLxZgc6TmYtNAwvRyUGazusfYQEVhPjfloJMWtR3IDFR-ea8G2Kpk8jFZi0hY1NLnIPaF08IVta_–uqhsbt2zhcRc6LvhgnLZjh_nG8rEboxwxtd-v397eHd87cnCDZ52GfDvhhU-FCtOiswbFYgwm083Mb2FfXnt0Lc2CPy5cp4WFEoNkOpQuyvnQKS1bMnvSFg”
“payload”: “ewogICJyZXNvdXJjZSI6ICJuZXctY2VydCIsIAogICJjc3IiOiAiTUlJQ2pEQ0NBWFFDQVFJd0dqRVlNQllHQTFVRUF3d1BaR1pzTG1Gd2NHeHZablF1WW1sNk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBLTAzRDBwcklheUhoSWp1YnAtVktGQm9YeTdyRFFqQ3VfaGJJeW5aRl90SEFHRURUT1ZjaU1Xekx0Q2RyZS1DM2hBZ0ZpSXJ0QkRna3pzSEdPV3ZSbFY5RjNTR1NfQXFCZXVidEF1YmRxNUZnVk5RQnh2UE5BX1BraUt6Sl9henhhVzBoX2RGR3BqOENTd0pxT2JJNUxUbHlLbzllTk9rYkRYV3VZWEh2bjdZNVp5Y1A4NGxLbTVueC14aUpjSlNQSGIzT2VzRkJiMEw5WWJTVVlVdTZKcERneEI1cE1vY3R1WTdXUGktRVpDbUZxdnpEb3RBOUJqY09fcXJ3VGJRQnI1OWxQdGpZU3F4bDgzMkhkeXpsWFl2dUxXS3MtbG1JREcxMjdSY19WZFlZdDgzLV9jZzFpUHlCMWJ2S3JXUUVXWWEzWEFCYThfcGhtQlg3dU42WjB3SURBUUFCb0Mwd0t3WUpLb1pJaHZjTkFRa09NUjR3SERBYUJnTlZIUkVFRXpBUmdnOWtabXd1WVhCd2JHOW1kQzVpYVhvd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFPQU9fdlB1QXY2aWxSUENUbDFpd3k4NUlFYVFUNzlrYUwxc1lxVl9rUjUzM1pqUVJJS1YzeDB0ek81OXFFbXdBSDdHZG9icDZLNEVjcHpmajZrSEUyNEViWHpIY1dkX0QyOTI0cEhWbUx3OXlCMF9KcnU0VUJwNVN1eE9XTHBLOGd3R0VNUWduNFcwb1dDbWp2R0hLVm9keFdmWFNSUmlQZ204WGFSUHRUTHFkYlN6b3Q0VG5aWVZIZkZ1NXY5b1l6OGp0ajlxV2dKYzdmR2VkX0tOZjFjdmpQdE9NcEpiSmNFcmRhQUZ1R1A4Zm1fMmdhaU5yRmRQUGZqN3JXbE1uN1ZDSTBubWV1QzFnWV8tTmtMaTlqR2ZsbUFxczlZcThCUkZfRkJiellmZnZvYkdxMFFGbVBTV0c5eHZJZkk0VGtHbWl5NmVWclhudTNUa0lPWnl1UDAiCn0”,
“protected”: “eyJub25jZSI6ICJQZm81NDlYRlhJaTJFbUdub0FMaVFjN0x2eHJVSkFaelgyVDVGaEd4aXdJIn0”,
},
}
“n”: “uG3ZXNxWE3lSTI6sxK8AcsO0-NKjlG9OQGwnSZ9Ye6Is-ex1u_Bu-gkmw8jORFpK19N7JydBA3I89xdfyZXKUOi_JwCcpeJSUmifg32cB75rIXg9OMTEYfOAw_Z7xkEaK7VoX9ieNytB1gEtbTVl-n4dUhzb25eVJEqaCsUlXDGTjGhbrtbsdP0Lg3wQTH1FLjTVw1guDk_xyCcne7Oi7RK-HSIJxI2RWwkKB0ReHJZ9wpUp-k2NzA6bldTRM0CDTsJ3zkxwZYbQo_LpV58bQESVi3GZ6lmtfmBL4z045AwbR6IxloQOGHL8kThnFiV2-6EVXldLyxznHJt3Y84NvQ”
“kty”: “RSA”,
“e”: “AQAB”,
“jwk”: {
“alg”: “RS256”,
“header”: {
{
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-cert:
}
“csr”: “MIICjDCCAXQCAQIwGjEYMBYGA1UEAwwPZGZsLmFwcGxvZnQuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA-03D0prIayHhIjubp-VKFBoXy7rDQjCu_hbIynZF_tHAGEDTOVciMWzLtCdre-C3hAgFiIrtBDgkzsHGOWvRlV9F3SGS_AqBeubtAubdq5FgVNQBxvPNA_PkiKzJ_azxaW0h_dFGpj8CSwJqObI5LTlyKo9eNOkbDXWuYXHvn7Y5ZycP84lKm5nx-xiJcJSPHb3OesFBb0L9YbSUYUu6JpDgxB5pMoctuY7WPi-EZCmFqvzDotA9BjcO_qrwTbQBr59lPtjYSqxl832HdyzlXYvuLWKs-lmIDG127Rc_VdYYt83-cg1iPyB1bvKrWQEWYa3XABa8_phmBX7uN6Z0wIDAQABoC0wKwYJKoZIhvcNAQkOMR4wHDAaBgNVHREEEzARgg9kZmwuYXBwbG9mdC5iaXowDQYJKoZIhvcNAQELBQADggEBAOAO_vPuAv6ilRPCTl1iwy85IEaQT79kaL1sYqV_kR533ZjQRIKV3x0tzO59qEmwAH7Gdobp6K4Ecpzfj6kHE24EbXzHcWd_D2924pHVmLw9yB0_Jru4UBp5SuxOWLpK8gwGEMQgn4W0oWCmjvGHKVodxWfXSRRiPgm8XaRPtTLqdbSzot4TnZYVHfFu5v9oYz8jtj9qWgJc7fGed_KNf1cvjPtOMpJbJcErdaAFuGP8fm_2gaiNrFdPPfj7rWlMn7VCI0nmeuC1gY-NkLi9jGflmAqs9Yq8BRF_FBbzYffvobGq0QFmPSWG9xvIfI4TkGmiy6eVrXnu3TkIOZyuP0"
“resource”: “new-cert”,
{
JWS payload:
Requesting issuance…
CSR: CSR(file=’/etc/letsencrypt/csr/0329_csr-certbot.pem’, data='0\x82\x02\x8c0\x82\x01t\x02\x01\x020\x1a1\x180\x16\x06\x03U\x04\x03\x0c\x0fclay.example.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xfbM\xc3\xd2\x9a\xc8k!\xe1”;\x9b\xa7\xe5J\x14\x1a\x17\xcb\xba\xc3B0\xae\xfe\x16\xc8\xcavE\xfe\xd1\xc0\x18@\xd39W"1l\xcb\xb4’k{\xe0\xb7\x84\x08\x05\x88\x8a\xed\x048$\xce\xc1\xc69k\xd1\x95_E\xdd!\x92\xfc\n\x81z\xe6\xed\x02\xe6\xdd\xab\x91T\xd4\x01\xc6\xf3\xcd\x03\xf3\xe4\x88\xac\xc9\xfd\xac\xf1im!\xfd\xd1F\xa6?\x02K\x02j9\xb29-9r*\x8f^4\xe9\x1b\ru\xaeaq\xef\x9f\xb69g\'\x0f\xf3\x89J\x9b\x99\xf1\xfb\x18\x89p\x94\x8f\x1d\xbd\xcez\xc1AoB\xfda\xb4\x94aK\xba&\x90\xe0\xc4\x1ei2\x87-\xb9\x8e\xd6>/\x84d)\x85\xaa\xfc\xc3\xa2\xd0=\x067\x0e\xfe\xaa\xf0M\xb4\x01\xaf\x9fe>\xd8\xd8J\xace\xf3}\x87w,\xe5]\x8b\xee-b\xac\xfaY\x88\x0cmv\xed\x17?U\xd6\x18\xb7\xcd\xfe\xfd\xc85\x88\xfc\x81\xd5\xbb\xca\xadd\x04Y\x86\xb7\\\x00Z\xf3\xfaa\x98\x15\xfb\xb8\xde\x99\xd3\x02\x03\x01\x00\x01\xa0-0+\x06\t*\x86H\x86\xf7\r\x01\t\x0e1\x1e0\x1c0\x1a\x06\x03U\x1d\x11\x04\x130\x11\x82\x0fclay.example.com0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xe0\x0e\xfe\xf3\xee\x02\xfe\xa2\x95\x13\xc2N]b\xc3/9 F\x90O\xbfdh\xbdlb\xa5\x7f\x91\x1ew\xdd\x98\xd0D\x82\x95\xdf\x1d-\xcc\xee}\xa8I\xb0\x00~\xc6v\x86\xe9\xe8\xae\x04r\x9c\xdf\x8f\xa9\x07\x13n\x04m|\xc7qg\x7f\x0fov\xe2\x91\xd5\x98\xbc=\xc8\x1d?&\xbb\xb8P\x1ayJ\xecNX\xbaJ\xf2\x0c\x06\x10\xc4 \x9f\x85\xb4\xa1\xa6\x8e\xf1\x87)Z\x1d\xc5g\xd7I\x14b>\t\xbc]\xa4O\xb52\xeau\xb4\xb3\xa2\xde\x13\x9d\x96\x15\x1d\xf1n\xe6\xffhc?#\xb6?jZ\x02\\xed\xf1\x9ew\xf2\x8d\x7fW/\x8c\xfbN2\x92[%\xc1+u\xa0\x05\xb8c\xfc~o\xf6\x81\xa8\x8d\xacWO=\xf8\xfb\xadiL\x9f\xb5B#I\xe6z\xe0\xb5\x81\x8f\xfe6B\xe2\xf61\x9f\x96`\xb3\xd6\xf0\x14E\xfcP[\xcd\x87\xdf\xbe\x86\xc6\xabD\x05\x98\xf4\x96\x1b\xdco!\xf28NA\xa6\x8b.\x9eV\xb5\xe7\xbbt\xe4 \xe6r\xb8\xfd’, form=‘der’), domains: [u’clay.example.com’]
Creating CSR: /etc/letsencrypt/csr/0329_csr-certbot.pem
Generating key (2048 bits): /etc/letsencrypt/keys/0329_key-certbot.pem
Stopping server at 0.0.0.0:80…
Cleaning up challenges
}
]
]
1
[
],
0
[
],
2
[
“combinations”: [
],
}
“token”: "jWfSRi5nTOmPGTJWqY_9-QWuLPe4p48T6970zQ82wR4"
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639703”,
“status”: “pending”,
“type”: “dns-01”,
{
},
]
}
“addressesTried”: []
“addressUsed”: “149.202.210.233”,
],
"149.202.210.233"
“addressesResolved”: [
“port”: “80”,
“hostname”: “clay.example.com”,
“url”: “http://clay.example.com/.well-known/acme-challenge/cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
{
“validationRecord”: [
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“token”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702”,
“status”: “valid”,
“type”: “http-01”,
{
},
“token”: "CaulNua2zfkUXAaKHyD5iZ6bheQ7DMJEw-ATW3325V4"
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639701”,
“status”: “pending”,
“type”: “tls-sni-01”,
{
“challenges”: [
“expires”: “2017-07-06T09:06:04Z”,
“status”: “valid”,
},
“value”: “clay.example.com”
“type”: “dns”,
“identifier”: {
{

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:57 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:57 GMT
Strict-Transport-Security: max-age=604800
X-Frame-Options: DENY
Replay-Nonce: rkjm8K7wnnvodudOyWBMz3pSK3rg0UJqhJmJY7H_-QY
Link: ;rel="next"
Boulder-Request-Id: FwySeNUM1rOVs7q4ArK2GJYFXQwiC5lP2TlTXWeOl5I
Content-Length: 1493
Content-Type: application/json
Server: nginx
HTTP 200
Received response:
https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0 HTTP/1.1” 200 1493
Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0.
Storing nonce: Pfo549XFXIi2EmGnoALiQc7LvxrUJAZzX2T5FhGxiwI
}
]
}
“addressesTried”: []
“addressUsed”: “149.202.210.233”,
],
"149.202.210.233"
“addressesResolved”: [
“port”: “80”,
“hostname”: “clay.example.com”,
“url”: “http://clay.example.com/.well-known/acme-challenge/cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
{
“validationRecord”: [
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“token”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702”,
“status”: “valid”,
“type”: “http-01”,
{

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:54 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:54 GMT
Replay-Nonce: Pfo549XFXIi2EmGnoALiQc7LvxrUJAZzX2T5FhGxiwI
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702
Link: ;rel="up"
Boulder-Requester: 1552508
Boulder-Request-Id: nhS-6dj78F1gDzNatV58IrI1KxA7Ax4TezkjOYfXlZE
Content-Length: 673
Content-Type: application/json
Server: nginx
HTTP 202
Received response:
https://acme-v01.api.letsencrypt.org:443 “POST /acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702 HTTP/1.1” 202 673
}
“signature”: “UaCXeK5VoHj7DkxSWD2prdsNqJyXTJAmzcwidSmJybhroi98skQcLnd3dXF2PITPerBKPGQv9Bty_tI7jJ7eJpuxAdlMwD8wJysMVmEYqF644WQXEYNIn5zFNNnc96DBRyg3iOf2AYCNCNVvhI2zCLVjeehh-qs7z5QMN69HJZfTDaqhPwflER6NKwTyF9qrzNKAufJPIgVbESHlA14YlRkLq84jiDyWmKVbdeCnHrFp2SRJoCD2PuxMoilYGADfDJXE26_urc9xMvvgKDeyjmQkuNDTxq2vxnI9GL8F8p9VmrXuhMl_ddqj7BdBrpdCARtQfRCy_zTHM-nLmnT2ag”
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogImN2SFZoNnZGNHlpZXo4S0xiUmFHeXVfSGdzOXJ0andKbU9VZ2J2Uk5NVlkuak5WeG53V2tlSGE1WFVubHBIVDV6azVPREhkZE5TMGJINTBSeXFkZy1nMCIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“protected”: “eyJub25jZSI6ICJGWV9xUHh1VUlVQUkzZ1BnNWdoT2VxMWRIWTlmVExDa0hFcFlQdDg0UXZNIn0”,
},
}
“n”: “uG3ZXNxWE3lSTI6sxK8AcsO0-NKjlG9OQGwnSZ9Ye6Is-ex1u_Bu-gkmw8jORFpK19N7JydBA3I89xdfyZXKUOi_JwCcpeJSUmifg32cB75rIXg9OMTEYfOAw_Z7xkEaK7VoX9ieNytB1gEtbTVl-n4dUhzb25eVJEqaCsUlXDGTjGhbrtbsdP0Lg3wQTH1FLjTVw1guDk_xyCcne7Oi7RK-HSIJxI2RWwkKB0ReHJZ9wpUp-k2NzA6bldTRM0CDTsJ3zkxwZYbQo_LpV58bQESVi3GZ6lmtfmBL4z045AwbR6IxloQOGHL8kThnFiV2-6EVXldLyxznHJt3Y84NvQ”
“kty”: “RSA”,
“e”: “AQAB”,
“jwk”: {
“alg”: “RS256”,
“header”: {
{
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702:
}
“resource”: “challenge”
“type”: “http-01”,
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
{
JWS payload:
Waiting for verification…
Psutil not found, using simple socket check.
http-01 challenge for clay.example.com
Performing the following challenges:
Storing nonce: FY_qPxuUIUAI3gPg5ghOeq1dHY9fTLCkHEpYPt84QvM
}
]
]
1
[
],
0
[
],
2
[
“combinations”: [
],
}
“token”: "jWfSRi5nTOmPGTJWqY_9-QWuLPe4p48T6970zQ82wR4"
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639703”,
“status”: “pending”,
“type”: “dns-01”,
{
},
]
}
“addressesTried”: []
“addressUsed”: “149.202.210.233”,
],
"149.202.210.233"
“addressesResolved”: [
“port”: “80”,
“hostname”: “clay.example.com”,
“url”: “http://clay.example.com/.well-known/acme-challenge/cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
{
“validationRecord”: [
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“token”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702”,
“status”: “valid”,
“type”: “http-01”,
{
},
“token”: "CaulNua2zfkUXAaKHyD5iZ6bheQ7DMJEw-ATW3325V4"
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639701”,
“status”: “pending”,
“type”: “tls-sni-01”,
{
“challenges”: [
“expires”: “2017-07-06T09:06:04Z”,
“status”: “valid”,
},
“value”: “clay.example.com”
“type”: “dns”,
“identifier”: {
{

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:54 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:54 GMT
Strict-Transport-Security: max-age=604800
X-Frame-Options: DENY
Replay-Nonce: FY_qPxuUIUAI3gPg5ghOeq1dHY9fTLCkHEpYPt84QvM
Location: https://acme-v01.api.letsencrypt.org/acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0
Link: ;rel="next"
Boulder-Requester: 1552508
Boulder-Request-Id: ifXs4REQaRiLJXfwCr1gUV-DSS-ASf3sqO8ZlMY6LCE
Content-Length: 1493
Content-Type: application/json
Server: nginx
HTTP 201
Received response:
https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 1493
}
“signature”: “BTB52nlM_d2FRDZ6t_O1iYE3Spxcpy2q-woPMF_3pE3YUyTFbMIifQE2a2aX7Z9OcmBtu9OG71ARxOi5X_COijkskom06zOnMWdcwci6mnfEQPK41GN3wD-EAZCPGejSyWrwfleZetWqp5SsqSdOYcj9bqvm4SgZBJPW5otqecXxFhuKetn8bUlx6FwdDyLB7o1dd1jGPkrtbRGqsMBpXpWfzWOs6uWllxsSmcL_dfuyfYBLqwMQiWmm4G8m-ZRlWu7FQb7z68rgJn0ESlJvW2cxbcrpxPIwj9H7riqOWDvbMHl-c4zV7UUNNZHmybwdVn65xl1axW5raKot56pMHQ”
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGZsLmFwcGxvZnQuYml6IgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0”,
“protected”: “eyJub25jZSI6ICJrWE0wOGFzQlBhemlVb1NQeFpnWVZJN1BsdkNTVTcyM1d3WlNSV00yRk8wIn0”,
},
}
“n”: “uG3ZXNxWE3lSTI6sxK8AcsO0-NKjlG9OQGwnSZ9Ye6Is-ex1u_Bu-gkmw8jORFpK19N7JydBA3I89xdfyZXKUOi_JwCcpeJSUmifg32cB75rIXg9OMTEYfOAw_Z7xkEaK7VoX9ieNytB1gEtbTVl-n4dUhzb25eVJEqaCsUlXDGTjGhbrtbsdP0Lg3wQTH1FLjTVw1guDk_xyCcne7Oi7RK-HSIJxI2RWwkKB0ReHJZ9wpUp-k2NzA6bldTRM0CDTsJ3zkxwZYbQo_LpV58bQESVi3GZ6lmtfmBL4z045AwbR6IxloQOGHL8kThnFiV2-6EVXldLyxznHJt3Y84NvQ”
“kty”: “RSA”,
“e”: “AQAB”,
“jwk”: {
“alg”: “RS256”,
“header”: {
{
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
}
“resource”: “new-authz”
},
“value”: “clay.example.com”
“type”: “dns”,
“identifier”: {
{
JWS payload:
Storing nonce: kXM08asBPaziUoSPxZgYVI7PlvCSU723WwZSRWM2FO0

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:53 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:53 GMT
Replay-Nonce: kXM08asBPaziUoSPxZgYVI7PlvCSU723WwZSRWM2FO0
Boulder-Request-Id: J3-aLMXfWlAqpkPlCxXNH4rgId5h5JSZzWbOWYxj77g
Allow: POST
Content-Length: 91
Content-Type: application/problem+json
Server: nginx
HTTP 405
Received response:
https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
Requesting fresh nonce
Renewing an existing certificate
}
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
{

Connection: keep-alive
Date: Thu, 08 Jun 2017 13:54:53 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Expires: Thu, 08 Jun 2017 13:54:53 GMT
Strict-Transport-Security: max-age=604800
X-Frame-Options: DENY
Replay-Nonce: Pr5pHAUEMwmaafiQLdR-pfJDqEbLR02HKPAVIgzNKHI
Boulder-Request-Id: rGPNO6_imDcPOdkpf0u65UE-nHTaOISAUDj_R8rj23s
Content-Length: 352
Content-Type: application/json
Server: nginx
HTTP 200
Received response:
https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 352
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Picked account:
Selected authenticator and installer None
Prep: True
Initialized:
Entry point: standalone = certbot.plugins.standalone:Authenticator
Interfaces: IAuthenticator, IPlugin
Description: Spin up a temporary webserver
Single candidate plugin: * standalone
Requested authenticator standalone and installer None
Discovered plugins: PluginsRegistry(PluginEntryPoint#script,PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#webroot,PluginEntryPoint#nginx,PluginEntryPoint#apache,PluginEntryPoint#null)
Arguments: [’–standalone’, ‘–email’, ‘info@example.com’, ‘–agree-tos’, ‘–standalone-supported-challenges’, ‘http-01’, ‘–renew-by-default’, ‘–text’, ‘–verbose’, ‘–renew-with-new-domains’, ‘–server’, ‘https://acme-v01.api.letsencrypt.org/directory’, ‘-d’, ‘clay.example.com’, ‘-d’, ‘clay-dev.example.com’]
certbot version: 0.10.0.dev0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Root logging level set at 10
Please use the --preferred-challenges flag instead.
WARNING: The standalone specific supported challenges flag is deprecated.
Dispatching certificate creation request - This can take a while to complete depending on the number of domains
Completed parsing request body

schoen · June 8, 2017, 10:53pm

That doesn’t look like an ordinary Certbot log to me: they normally start with a timestamp on each line. I’d also expect the relevant part of the log to start at “certbot version:”.

rg305 · June 9, 2017, 1:53am

Most likely both names don’t resolve to the same IP or one may have IPv6.
But since we don’t have the real names there is no way to troubleshoot.

schoen · June 9, 2017, 3:09am

@rg305, still, without --allow-subset-of-names I would expect either a complete failure or a complete success.

accessviolation · June 9, 2017, 3:12am

Correct if pointing to different IP’s it fails completely. Will be back in the office tomorrow and will cat and send the output from the file /var/log/letsencrypt/letsencrypt.log. I had assumed the output to stdout was the same thing written to this file.

schoen · June 9, 2017, 3:16am

Thanks, @accessviolation!

accessviolation · June 9, 2017, 1:19pm

So i attempted to issue the cert again but i have exceeded the limit. But below are the logs. The reason i do not have the previous logs is because the container was been immediately purged after completion and the log directory was not mounted outside of the container. I did the mount this time and this is the output.

2017-06-09 13:11:45,708:DEBUG:certbot.main:Root logging level set at 10
2017-06-09 13:11:45,708:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-06-09 13:11:45,708:DEBUG:certbot.main:certbot version: 0.10.0.dev0
2017-06-09 13:11:45,708:DEBUG:certbot.main:Arguments: [’–standalone’, ‘–email’, ‘info@example.com’, ‘–agree-tos’, ‘–standalone-supported-challenges’, ‘http-01’, ‘–renew-by-default’, ‘–text’, ‘–verbose’, ‘–renew-with-new-domains’, ‘–server’, ‘https://acme-v01.api.letsencrypt.org/directory’, ‘–cert-name’, ‘clay.example.com’, ‘-d’, ‘clay.example.com’, ‘-d’, ‘clay-dev.example.com’]
2017-06-09 13:11:45,708:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#script,PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#webroot,PluginEntryPoint#nginx,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-06-09 13:11:45,709:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-06-09 13:11:45,728:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f28662c5d90>
Prep: True
2017-06-09 13:11:45,728:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f28662c5d90> and installer None
2017-06-09 13:11:45,732:DEBUG:certbot.main:Picked account: <Account(a939c41db390ffae8c652acdbd6b5089)>
2017-06-09 13:11:45,732:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-06-09 13:11:45,737:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-06-09 13:11:46,041:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 352
2017-06-09 13:11:46,042:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: l_Y6aZ9urgHDfZbSVHUxV3nCn9bA5eg67SHeTLnOIvo
Replay-Nonce: RF_wAIi_gsUgtraPDPeDT3Aw_KEZK9pDcmnvlwFVAuU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 09 Jun 2017 13:11:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 09 Jun 2017 13:11:46 GMT
Connection: keep-alive

{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”
}
2017-06-09 13:11:46,153:INFO:certbot.main:Renewing an existing certificate
2017-06-09 13:11:46,153:DEBUG:root:Requesting fresh nonce
2017-06-09 13:11:46,154:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-06-09 13:11:46,361:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
2017-06-09 13:11:46,362:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: ielYUpBaGEBV0ocdZysaH3bCo9oC-x2qxShRRtYnPTQ
Replay-Nonce: s1hYY9MHYEn-C2qoTchZOTdDYqIvRinfYjMkus5xE-8
Expires: Fri, 09 Jun 2017 13:11:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 09 Jun 2017 13:11:46 GMT
Connection: keep-alive

2017-06-09 13:11:46,363:DEBUG:acme.client:Storing nonce: s1hYY9MHYEn-C2qoTchZOTdDYqIvRinfYjMkus5xE-8
2017-06-09 13:11:46,363:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “clay.example.com”
},
“resource”: “new-authz”
}
2017-06-09 13:11:46,367:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “uG3ZXNxWE3lSTI6sxK8AcsO0-NKjlG9OQGwnSZ9Ye6Is-ex1u_Bu-gkmw8jORFpK19N7JydBA3I89xdfyZXKUOi_JwCcpeJSUmifg32cB75rIXg9OMTEYfOAw_Z7xkEaK7VoX9ieNytB1gEtbTVl-n4dUhzb25eVJEqaCsUlXDGTjGhbrtbsdP0Lg3wQTH1FLjTVw1guDk_xyCcne7Oi7RK-HSIJxI2RWwkKB0ReHJZ9wpUp-k2NzA6bldTRM0CDTsJ3zkxwZYbQo_LpV58bQESVi3GZ6lmtfmBL4z045AwbR6IxloQOGHL8kThnFiV2-6EVXldLyxznHJt3Y84NvQ”
}
},
“protected”: “eyJub25jZSI6ICJzMWhZWTlNSFlFbi1DMnFvVGNoWk9UZERZcUl2UmluZllqTWt1czV4RS04In0”,
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGZsLmFwcGxvZnQuYml6IgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0”,
“signature”: “a0OpSjCqhJWQcHAZIjSlkzMLpt7kIBGOC9xE3MQrERL3iGioNutRD0dwPuM7bA-zHlNqT6PAxKABq-sjNS14Z5dQh7VtY_sm540__k0q3an0CQ4x1e1FxgjeL9x9DBBC232iN62gVU_13HzPF0r6F-nqeZLGxRVj-0IB8rJyPgZmbUrGiHc4Llx-2E5H8NXRSdomdP0OeOi4dcHv2__fh1eKVV8WXpI1g-E6FrMYwfudOoV_d29AF1AyYwOEQGUQFrGFuIATBq35dL2IVIu9e27UZiFX9OhMvpDRGNGq8humtPrCSS6cW5U_CyoPY4626z9DrQsBAeWL5JLG4NnVKQ”
}
2017-06-09 13:11:47,032:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 1493
2017-06-09 13:11:47,033:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1493
Boulder-Request-Id: gXMPtz-av3UVoy66Ta6nbA38fmHhGV8DiDxdPb8jZaE
Boulder-Requester: 1552508
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0
Replay-Nonce: xuyrmbVCc–bqsXC3cYkSTMPJMMBW24qxEKQJk0L5Sw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 09 Jun 2017 13:11:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 09 Jun 2017 13:11:47 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “clay.example.com”
},
“status”: “valid”,
“expires”: “2017-07-06T09:06:04Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639701”,
“token”: “CaulNua2zfkUXAaKHyD5iZ6bheQ7DMJEw-ATW3325V4”
},
{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702”,
“token”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“validationRecord”: [
{
“url”: “http://clay.example.com/.well-known/acme-challenge/cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“hostname”: “clay.example.com”,
“port”: “80”,
“addressesResolved”: [
“149.202.210.233”
],
“addressUsed”: “149.202.210.233”,
“addressesTried”: []
}
]
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639703”,
“token”: “jWfSRi5nTOmPGTJWqY_9-QWuLPe4p48T6970zQ82wR4”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
]
]
}
2017-06-09 13:11:47,033:DEBUG:acme.client:Storing nonce: xuyrmbVCc–bqsXC3cYkSTMPJMMBW24qxEKQJk0L5Sw
2017-06-09 13:11:47,034:INFO:certbot.auth_handler:Performing the following challenges:
2017-06-09 13:11:47,034:INFO:certbot.auth_handler:http-01 challenge for clay.example.com
2017-06-09 13:11:47,034:DEBUG:certbot.plugins.util:Psutil not found, using simple socket check.
2017-06-09 13:11:47,039:INFO:certbot.auth_handler:Waiting for verification…
2017-06-09 13:11:47,039:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“type”: “http-01”,
“resource”: “challenge”
}
2017-06-09 13:11:47,042:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “uG3ZXNxWE3lSTI6sxK8AcsO0-NKjlG9OQGwnSZ9Ye6Is-ex1u_Bu-gkmw8jORFpK19N7JydBA3I89xdfyZXKUOi_JwCcpeJSUmifg32cB75rIXg9OMTEYfOAw_Z7xkEaK7VoX9ieNytB1gEtbTVl-n4dUhzb25eVJEqaCsUlXDGTjGhbrtbsdP0Lg3wQTH1FLjTVw1guDk_xyCcne7Oi7RK-HSIJxI2RWwkKB0ReHJZ9wpUp-k2NzA6bldTRM0CDTsJ3zkxwZYbQo_LpV58bQESVi3GZ6lmtfmBL4z045AwbR6IxloQOGHL8kThnFiV2-6EVXldLyxznHJt3Y84NvQ”
}
},
“protected”: “eyJub25jZSI6ICJ4dXlybWJWQ2MtLWJxc1hDM2NZa1NUTVBKTU1CVzI0cXhFS1FKazBMNVN3In0”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogImN2SFZoNnZGNHlpZXo4S0xiUmFHeXVfSGdzOXJ0andKbU9VZ2J2Uk5NVlkuak5WeG53V2tlSGE1WFVubHBIVDV6azVPREhkZE5TMGJINTBSeXFkZy1nMCIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “EL3aD4LjLdTnwXJFRN4LO0V6smoQBNaZT1GSMSK5SuIfgB_uq1kxTASQBVR12IY6NdcX_yeDQUbse-4iKa4seYvogHhAxzFO9ohvjB40FXBVxDjpuQ3FrtTSAsV4FNw9hijn-MtbOBKIHtz7s614TqTysTyrQ-1Z_cR7I7JCSSpL0IHKTMkeU_C_o803ecl9ggegofZ4hZhckBFGDuGbWB9YlgjkXWtYczbWBDGfXtVtDAH0VyzsFKZKOhA7s2WN5tLNBBRG-HQtygrJwM1IfyihiCN0Xi-naYEpB_ZFGBfTuvD4EA7pUZ0fa-rhyTgShYTCqq7KsmMwtCe30dZRAA”
}
2017-06-09 13:11:47,270:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702 HTTP/1.1” 202 673
2017-06-09 13:11:47,272:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 673
Boulder-Request-Id: M-5ax_XdgDZKrZa9oKXWVEAnk6UwngSZP6CpWqO994w
Boulder-Requester: 1552508
Link: https://acme-v01.api.letsencrypt.org/acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702
Replay-Nonce: mPUPaEA6C6v9-GlgMWJnzEzr_f7Bb68DqO_smaRlFNI
Expires: Fri, 09 Jun 2017 13:11:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 09 Jun 2017 13:11:47 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702”,
“token”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“validationRecord”: [
{
“url”: “http://clay.example.com/.well-known/acme-challenge/cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“hostname”: “clay.example.com”,
“port”: “80”,
“addressesResolved”: [
“149.202.210.233”
],
“addressUsed”: “149.202.210.233”,
“addressesTried”: []
}
]
}
2017-06-09 13:11:47,273:DEBUG:acme.client:Storing nonce: mPUPaEA6C6v9-GlgMWJnzEzr_f7Bb68DqO_smaRlFNI
2017-06-09 13:11:50,276:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0.
2017-06-09 13:11:50,478:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0 HTTP/1.1” 200 1493
2017-06-09 13:11:50,480:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1493
Boulder-Request-Id: ZbS4HBbtuzZl8S-OdM8pPys0CFXq5OUZLsNNOkBL9sI
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: QVTOP9VVSpLHAYmA_a3Ndh0xxiWn0pLE6Zt0H-mjnLI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 09 Jun 2017 13:11:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 09 Jun 2017 13:11:50 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “clay.example.com”
},
“status”: “valid”,
“expires”: “2017-07-06T09:06:04Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639701”,
“token”: “CaulNua2zfkUXAaKHyD5iZ6bheQ7DMJEw-ATW3325V4”
},
{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639702”,
“token”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“keyAuthorization”: “cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY.jNVxnwWkeHa5XUnlpHT5zk5ODHddNS0bH50Ryqdg-g0”,
“validationRecord”: [
{
“url”: “http://clay.example.com/.well-known/acme-challenge/cvHVh6vF4yiez8KLbRaGyu_Hgs9rtjwJmOUgbvRNMVY”,
“hostname”: “clay.example.com”,
“port”: “80”,
“addressesResolved”: [
“149.202.210.233”
],
“addressUsed”: “149.202.210.233”,
“addressesTried”: []
}
]
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xfpNprJOJU0MeKVWgOOSZNnOx1kso9hD9iVDPAZ7Em0/1288639703”,
“token”: “jWfSRi5nTOmPGTJWqY_9-QWuLPe4p48T6970zQ82wR4”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
]
]
}
2017-06-09 13:11:50,481:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-09 13:11:50,482:DEBUG:certbot.plugins.standalone:Stopping server at 0.0.0.0:80…
2017-06-09 13:11:50,655:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0332_key-certbot.pem
2017-06-09 13:11:50,660:INFO:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0332_csr-certbot.pem
2017-06-09 13:11:50,660:DEBUG:certbot.client:CSR: CSR(file=’/etc/letsencrypt/csr/0332_csr-certbot.pem’, data=‘0\x82\x02\x8c0\x82\x01t\x02\x01\x020\x1a1\x180\x16\x06\x03U\x04\x03\x0c\x0fclay.example.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xf3Oco\xacG\xb4\x18\xc3fe9U\xea\xf3\xb4\xf9\x83r\xcf\xb9\x91\xe5\xd7\xc2\x8f\xfe%\xa3(\xe0\x83\x96\x94\x02)\x96\x1c\xea\x1fv\xc8\x02\x95E\r}8\x9aKr\xd4\r\x84\x14\xb1\xdb\xab~G\xac’\x07\x95\xf5\xa8\xeb\x8f\x8d\x8d.\x08\xb9\xa5\xa7\x06\xcb:Y3e\xd3\x0e:\xa6\x12H|\x14\x86y\xa9q\xcdTJm\x0c#\x8d\x07u\xf9\xdf\xe6\tp\x95\x1c\x15k|B\x8f\xea!\x1c\xf0Rl\xe1\x96?L\x97\x1f\x956\xda\xe8v\x9c\xc6\x90\x83-\x04C\xb8Yr\xfb\xbcfF\xd6\xb2+^\x92\xcbP`\x0b"%=\x0fd\xb9\x1d\xca\xaa\xfe\xea\xdbf1n\x91\xed\x81\xa58\x7f\x14\xd2\xa9t\x93\xe0\x8b\x95\xcc:\x81\xb8\xfd\xf1d2\xfc\x86\xf6q\xe5\xd6\xdf\x80\xa3%\xe3y}\x10>\xe5\x1f\xd7D\x94+\xee~\xda\xd4W\xad\xc3>\x01\xbb\xd0\x90\x97g\xa1 \x92B?J\x1a\xc8ZF\xfe\x94\xbc\xef\xff\x9b\x8f]\x0c\xca\xc9l\xf5;\xd3\xed\x97p\x9b\x02\x03\x01\x00\x01\xa0-0+\x06\t*\x86H\x86\xf7\r\x01\t\x0e1\x1e0\x1c0\x1a\x06\x03U\x1d\x11\x04\x130\x11\x82\x0fclay.example.com0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xa4L\xa7\xcdG\x93\xff|*VC\x0f9\xd3\x80|65\x91\xb9T\x85I9\x99\xbd\x03.\xaa\xa9\xa6\xb9Ln\xb1\xf7I\x90n\xa4\xad2\x85eQ\xe0\x8ft\xb9f\xf8?\x17\xc7\x05\xc1d\x97C0\xb6|\xaf^\xea\xe8T\x01\xca\xbf[\xe0\n+’\xd00E\x7f\xcb\x9ehm\xebMG{\xa4\xecq/4i\x91"o\x81\\xee\xb7\xbcd\x1c\xb29\x94\x02+\x96\x11a\x84\xab\x9eT\xc5\t46\xb9\xc4#(\xce\xd9\x8e\xd5\x85\x8f[\xb9\xfea\xb5>\x12.\xb9!v&\xaccQ\x96\x93\x9a\x98\x19\x95\x11\xb1\xa2\x9c\x82 \xab\xcc\xeb\xfdBs\xfd\xc2\x1a\xee\x02\\xf0\xbc\xf1%cBj\x05\xa7\xb2\xfa\x99\xe25\xfc9\x91\xc6\xb2\xca\xab\xce\xb3RBaf 5\xc9\xc4\x7f\xf8\xf3\xebW;^Y>\xfff\x11\xc7\xd5\x17.\x8bD\xcf\xb9x\xa1\xdb\x0ec\xf0$\xf3\xa9\xf0xR\xb9\xd4\xf2\x1d\xe3\x98r\x16\x9e\x15/\xa9\x0c\xaf\x8d\x1f\x90\x89\xe9P0\x08FD/’, form=‘der’), domains: [u’clay.example.com’]
2017-06-09 13:11:50,660:DEBUG:acme.client:Requesting issuance…
2017-06-09 13:11:50,660:DEBUG:acme.client:JWS payload:
{
“resource”: “new-cert”,
“csr”: “MIICjDCCAXQCAQIwGjEYMBYGA1UEAwwPZGZsLmFwcGxvZnQuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA809jb6xHtBjDZmU5VerztPmDcs-5keXXwo_-JaMo4IOWlAIplhzqH3bIApVFXHJ9OJpLctQNhBSx26t-R6wnB5X1qOuPjY0uCLmlpwbLOlkzZdMOOqYSSHwUhnmpcc1USm0MI40Hdfnf5glwlRwVa3xCj-ohHPBSbOGWP0yXH5U22uh2nMaQgy0EQ7hZcvu8ZkbWsitekstQYAsiJT0PZLkdyqr-6ttmMW6R7YGlOH8U0ql0k-CLlcw6gbj98WQy_Ib2ceXW34CjJeN5fRA-5R_XRJQr7n7a1Fetwz4Bu9CQl2ehIJJCP0oayFpG_pS87_-bj10Mysls9TvT7ZdwmwIDAQABoC0wKwYJKoZIhvcNAQkOMR4wHDAaBgNVHREEEzARgg9kZmwuYXBwbG9mdC5iaXowDQYJKoZIhvcNAQELBQADggEBAKRMp81Hk_98KlZDDznTgHw2NZG5VIVJOZm9Ay6qqaa5TG6x90mQbqStMoVlUeCPdLlm-D8XxwXBZJdDMLZ8r17q6FQByr9b4AorJ9AwRX_Lnmht601He6TscS80aZEib4Fc7re8ZByyOZQCK5YRYYSrnlTFCTQ2ucQjKM7ZjtWFj1u5_mG1PhIuuSF2JqxjUZaTmpgZlRGxopyCIKvM6_1Cc_3CGu4CXPC88SVjQmoFp7L6meI1_DmRxrLKq86zUkJhZiA1ycR_-PPrVzteWT7_ZhHH1Rcui0TPuXih2w5j8CTzqfB4UrnU8h3jmHIWnhUvqQyvjR-QielQMAhGRC8”
}
2017-06-09 13:11:50,664:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-cert:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “uG3ZXNxWE3lSTI6sxK8AcsO0-NKjlG9OQGwnSZ9Ye6Is-ex1u_Bu-gkmw8jORFpK19N7JydBA3I89xdfyZXKUOi_JwCcpeJSUmifg32cB75rIXg9OMTEYfOAw_Z7xkEaK7VoX9ieNytB1gEtbTVl-n4dUhzb25eVJEqaCsUlXDGTjGhbrtbsdP0Lg3wQTH1FLjTVw1guDk_xyCcne7Oi7RK-HSIJxI2RWwkKB0ReHJZ9wpUp-k2NzA6bldTRM0CDTsJ3zkxwZYbQo_LpV58bQESVi3GZ6lmtfmBL4z045AwbR6IxloQOGHL8kThnFiV2-6EVXldLyxznHJt3Y84NvQ”
}
},
“protected”: “eyJub25jZSI6ICJtUFVQYUVBNkM2djktR2xnTVdKbnpFenJfZjdCYjY4RHFPX3NtYVJsRk5JIn0”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJuZXctY2VydCIsIAogICJjc3IiOiAiTUlJQ2pEQ0NBWFFDQVFJd0dqRVlNQllHQTFVRUF3d1BaR1pzTG1Gd2NHeHZablF1WW1sNk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBODA5amI2eEh0QmpEWm1VNVZlcnp0UG1EY3MtNWtlWFh3b18tSmFNbzRJT1dsQUlwbGh6cUgzYklBcFZGWEhKOU9KcExjdFFOaEJTeDI2dC1SNnduQjVYMXFPdVBqWTB1Q0xtbHB3YkxPbGt6WmRNT09xWVNTSHdVaG5tcGNjMVVTbTBNSTQwSGRmbmY1Z2x3bFJ3VmEzeENqLW9oSFBCU2JPR1dQMHlYSDVVMjJ1aDJuTWFRZ3kwRVE3aFpjdnU4WmtiV3NpdGVrc3RRWUFzaUpUMFBaTGtkeXFyLTZ0dG1NVzZSN1lHbE9IOFUwcWwway1DTGxjdzZnYmo5OFdReV9JYjJjZVhXMzRDakplTjVmUkEtNVJfWFJKUXI3bjdhMUZldHd6NEJ1OUNRbDJlaElKSkNQMG9heUZwR19wUzg3Xy1iajEwTXlzbHM5VHZUN1pkd213SURBUUFCb0Mwd0t3WUpLb1pJaHZjTkFRa09NUjR3SERBYUJnTlZIUkVFRXpBUmdnOWtabXd1WVhCd2JHOW1kQzVpYVhvd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLUk1wODFIa185OEtsWkREem5UZ0h3Mk5aRzVWSVZKT1ptOUF5NnFxYWE1VEc2eDkwbVFicVN0TW9WbFVlQ1BkTGxtLUQ4WHh3WEJaSmRETUxaOHIxN3E2RlFCeXI5YjRBb3JKOUF3UlhfTG5taHQ2MDFIZTZUc2NTODBhWkVpYjRGYzdyZThaQnl5T1pRQ0s1WVJZWVNybmxURkNUUTJ1Y1FqS003Wmp0V0ZqMXU1X21HMVBoSXV1U0YySnF4alVaYVRtcGdabFJHeG9weUNJS3ZNNl8xQ2NfM0NHdTRDWFBDODhTVmpRbW9GcDdMNm1lSTFfRG1SeHJMS3E4NnpVa0poWmlBMXljUl8tUFByVnp0ZVdUN19aaEhIMVJjdWkwVFB1WGloMnc1ajhDVHpxZkI0VXJuVThoM2ptSElXbmhVdnFReXZqUi1RaWVsUU1BaEdSQzgiCn0”,
“signature”: “o8PkS0_ojC_rDY5Vl6hGy_PE6IF8-N6ZAF5lz1nWDeLpm0FA9JKS2z525N_icLZbRGlSLb4tij8fQLzvIpKVf3ShEkm2sF5PlBqP4CPn8F2-PZzXO9G25D0bVnuwRC03GXNBnyjUzQnmCv2D1olZiJ8mHssDLfFOozypqMI7bbm2RzHbhzkSnHAeoKqDShdGy63pslsps9VvcgAtWhkS5q5zOA2wHGH5WUzVFf1KVyLysiIFxj5aFD1h95mD5fcX5IjHZsqxDkLKnvtNAMg59JefwE_1bBzmM2iQJjaqym5sdeXqKoWuRJSTp5jQNldg9BbBl4LkOApfgLPU5Jh7Vg”
}
2017-06-09 13:11:50,927:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-cert HTTP/1.1” 429 180
2017-06-09 13:11:50,928:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Content-Type: application/problem+json
Content-Length: 180
Boulder-Request-Id: VNqzbE7YMi8UmjyHqGN-QQ4WCT1Zen4mwLarBAfeXyE
Boulder-Requester: 1552508
Replay-Nonce: oeo2FUzhB3hYlrasQtq3cfSXShs46ZhR82MQFRhheic
Expires: Fri, 09 Jun 2017 13:11:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 09 Jun 2017 13:11:50 GMT
Connection: close

{
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new cert :: too many certificates already issued for exact set of domains: clay.example.com”,
“status”: 429
}
2017-06-09 13:11:50,928:DEBUG:acme.client:Storing nonce: oeo2FUzhB3hYlrasQtq3cfSXShs46ZhR82MQFRhheic
2017-06-09 13:11:50,930:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/opt/certbot/venv/bin/certbot”, line 9, in
load_entry_point(‘certbot’, ‘console_scripts’, ‘certbot’)()
File “/opt/certbot/src/certbot/main.py”, line 819, in main
return config.func(config, plugins)
File “/opt/certbot/src/certbot/main.py”, line 606, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File “/opt/certbot/src/certbot/main.py”, line 103, in _auth_from_available
renewal.renew_cert(config, le_client, lineage)
File “/opt/certbot/src/certbot/renewal.py”, line 240, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(lineage.names())
File “/opt/certbot/src/certbot/client.py”, line 273, in obtain_certificate
return (self.obtain_certificate_from_csr(domains, csr, authzr=authzr)
File “/opt/certbot/src/certbot/client.py”, line 244, in obtain_certificate_from_csr
authzr)
File “/opt/certbot/src/acme/acme/client.py”, line 314, in request_issuance
headers={‘Accept’: content_type})
File “/opt/certbot/src/acme/acme/client.py”, line 663, in post
return self._check_response(response, content_type=content_type)
File “/opt/certbot/src/acme/acme/client.py”, line 566, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: clay.example.com

schoen · June 9, 2017, 5:09pm

@accessviolation, thanks for the log!

@erica, is it possible that --renew-with-new-domains is broken in this case? We have this user attempting to force-renew an existing cert by certname with (I believe) only clay.example.com as subject name, while specifying -d clay.example.com -d clay-dev.example.com for the renewal. However, Certbot appears to end up obtaining an authz only for the existing clay.example.com name, and then requesting a certificate only for that name, as though Certbot ignored the -d options and used the existing lineage as authoritative…

@accessviolation, you don’t have a cli.ini file, do you?

erica · June 9, 2017, 5:48pm

This was a bug that has since been fixed. You can solve this by updating to a newer version of Certbot, by following the instructions for Ubuntu on https://certbot.eff.org.

accessviolation · June 9, 2017, 6:03pm

@erica, Thanks for the update. I could create an image for this but was just wondering if there exist an image tag for quay.io/letsencrypt/letsencrypt with this bug fix?

erica · June 9, 2017, 6:20pm

I believe that draws from our Github tags. latest should currently be pointing to v0.15.0, but if you use v0.14.2 (if it hasn’t been updated yet), it will have this fix as well.

accessviolation · June 9, 2017, 9:06pm

Bingo! Works as expected now. The issued cert contains the Subject alternative domains. Thanks for the support @schoen and @erica

system · July 9, 2017, 9:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.