Certbot renew on a domain with no subdomain?

Help
1

My domain is:
ethiopialearning.com

I ran this command:
sudo certbot renew --dry-run

It produced this output:

http-01 challenge for ethiopialearning.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (ethiopialearning.com) from /etc/letsencrypt/renewal/ethiopialearning.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.

My web server is (include version):
nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No (other than DNS)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.27.0

/etc/letsencrypt/renewal/ethiopialearning.com.conf:

# renew_before_expiry = 30 days
version = 0.27.0
archive_dir = /etc/letsencrypt/archive/ethiopialearning.com
cert = /etc/letsencrypt/live/ethiopialearning.com/cert.pem
privkey = /etc/letsencrypt/live/ethiopialearning.com/privkey.pem
chain = /etc/letsencrypt/live/ethiopialearning.com/chain.pem
fullchain = /etc/letsencrypt/live/ethiopialearning.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 123412341234
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

The www subdomain renews fine, the naked subdomain is initialized (manually), but I can’t get the naked subdomain to renew automatically.

My nginx conf:

server {
    server_name    ethiopialearning.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ethiopialearning.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ethiopialearning.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location = /favicon.ico { access_log off; log_not_found off; }

    location /static/ {
        root /home/ubuntu/el/src;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }

}
server {
    listen         80;
    listen         443;
    server_name    15.236.61.21  www.ethiopialearning.com  *.amazonaws.com;
    return         301 https://ethiopialearning.com$request_uri;
}
server {
    server_name    ethiopialearning.com;
    listen         80;
    return         301 https://ethiopialearning.com$request_uri;
}

If anything I would have thought the www subdomain would struggle due to the 301 redirect.

2

I’m guessing that your naked domain’s certificate also has a wildcard name (*.ethiopialearning.com) on it?

Could you please confirm by showing the contents of:

sudo certbot certificates

Wildcards can’t be issued or renewed using only HTTP validation. You should reconsider your use of a wildcard for this situation, if possible.

3

You are right. I started with a manual wildcard certificate, but when I realized the DNS couldn’t be automated reissued myself a non-wildcard one (just naked and www), but I guess that didn’t update this list?

The output:

Found the following certs:
  Certificate Name: ethiopialearning.com
    Domains: *.ethiopialearning.com ethiopialearning.com
    Expiry Date: 2020-07-01 14:19:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/ethiopialearning.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ethiopialearning.com/privkey.pem
  Certificate Name: www.ethiopialearning.com
    Domains: www.ethiopialearning.com ethiopialearning.com
    Expiry Date: 2020-07-01 14:36:13+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.ethiopialearning.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.ethiopialearning.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How can I remove the wildcard? I just want naked and www.

Huge thanks

4

Well, here’s the thing. Your other certificate already covers the naked name. Why have two certificates?

Could you change your nginx config to refer to /etc/letsencrypt/live/www.ethiopialearning.com/{fullchain.pem,privkey.pem} for both your naked domain’s vhost and your subdomain vhost?

If so, you could (afterwards) just delete the redundant naked+wildcard certificate:

certbot delete --cert-name ethiopialearning.com
2 Likes
5

That works, THANK YOU!!

Got myself really tied in knots today!!

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.