Certbot references old domain

I believe I screwed something up.

I had a VM (frankenlight.mrguilt.com) that was a mail host, as well as hosting a web server with a few virtual hosts (each with a CNAME record on DNS). I got a certificate, and all was well for a few years.

I got a second VM (delphi.mrguilt.com), and moved one of the virtual hosts, stash.mrguilt.com to it. I copied the files, set it up with a test name and certificate, and tested it. Once satisfied, I pointed the CNAME for stash to delphi, and thought I deleted the cert from frankenlight for stash, and enabled it on delphi. I disabled the virtual host for stash on frankenlight. Again, all was well.

A few days ago, I got a note that everything was up for renewal. No biggy. certbot renew.

It appears the one for frankenlight proper expired, and cannot be renewed. Big deal, as I can’t connect mail clients to it. I try running certbot renew, and it is still trying to validate with stash, and failing:


Processing /etc/letsencrypt/renewal/frankenlight.mrguilt.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stash.mrguilt.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (frankenlight.mrguilt.com) from /etc/letsencrypt/renewal/frankenlight.mrguilt.com.conf produced an unexpected error: Failed authorization procedure. stash.mrguilt.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://stash.mrguilt.com/.well-known/acme-challenge/zOxYfAtgH_7m3OC9qP3uwY_TWdbUUmjYGF7Ab87l4WU [193.122.150.108]: 404. Skipping.

Certificates for other virtual hosts associated with that server renewed just fine. I tried to force a renewal, and wound up with /etc/letsencrypt/live/frankenlight.mrguilt.com-0001, which, if I hit frankenlight.mrguilt.com shows a good cert, but doesn’t seem to impact mail.

How do I make it forget stash? Or am I better off just pointing everthing to the frankenlight.mrguilt.com-0001 cert?

This text will be hiddenPlease fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: frankenlight.mrguilt.com

I ran this command: certbot renew

It produced this output:


Processing /etc/letsencrypt/renewal/frankenlight.mrguilt.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stash.mrguilt.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (frankenlight.mrguilt.com) from /etc/letsencrypt/renewal/frankenlight.mrguilt.com.conf produced an unexpected error: Failed authorization procedure. stash.mrguilt.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://stash.mrguilt.com/.well-known/acme-challenge/zOxYfAtgH_7m3OC9qP3uwY_TWdbUUmjYGF7Ab87l4WU [193.122.150.108]: 404. Skipping.

My web server is (include version): apache

The operating system my web server runs on is (include version): Linux frankenlight 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I can sudo

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): b.a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

image

If it contains "everything", it could work.
Please show:
certbot certificates

This was a bad idea:

2 Likes

--allow-subset-of-names appears to have done the trick. Thank you SOOOO much!!!

Will I have to do that for each renewal going forward?

1 Like

Only when you remove names form the cert.
Again:

2 Likes

Sorry--misunderstood.

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: frankenlight.mrguilt.com-0001
Domains: frankenlight.mrguilt.com
Expiry Date: 2022-07-07 03:34:08+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/frankenlight.mrguilt.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/frankenlight.mrguilt.com-0001/privkey.pem
Certificate Name: frankenlight.mrguilt.com
Domains: frankenlight.mrguilt.com nextcloud.mrguilt.com reference.mrguilt.com sherlock.mrguilt.com webmail.mrguilt.com
Expiry Date: 2022-07-07 11:29:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/frankenlight.mrguilt.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/frankenlight.mrguilt.com/privkey.pem
Certificate Name: nextcloud.mrguilt.com
Domains: frankenlight.mrguilt.com nextcloud.mrguilt.com reference.mrguilt.com sherlock.mrguilt.com webmail.mrguilt.com
Expiry Date: 2022-06-28 03:14:23+00:00 (VALID: 80 days)
Certificate Path: /etc/letsencrypt/live/nextcloud.mrguilt.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nextcloud.mrguilt.com/privkey.pem
Certificate Name: reference.mrguilt.com
Domains: reference.mrguilt.com
Expiry Date: 2022-06-20 23:23:15+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/reference.mrguilt.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/reference.mrguilt.com/privkey.pem
Certificate Name: webmail.mrguilt.com
Domains: webmail.mrguilt.com
Expiry Date: 2022-06-21 21:43:36+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/webmail.mrguilt.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/webmail.mrguilt.com/privkey.pem


frankenlight.mrguilt.com appears in more than one cert.
I'd delete the one with -0001

The nextcloud.mrguilt.com cert has the exact same set of names as frankenlight.mrguilt.com cert.
I'd delete one of them.

reference.mrguilt.com and webmail.mrguilt.com are also included in frankenlight.mrguilt.com cert.
So, I would also delete those.

Be sure that you change the use to the cert you intend on keeping (and it works) before deleting anything.

You can delete a cert with:
certbot delete --certname "name-of-cert"

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.