Certbot start over

iaw4 · January 8, 2023, 2:19am

I run my own linux server. certbot 1.32.2

I recently let one of my old domains, learn-to-fly.info, expire. My domains include: cfr.pub , *.ivo-welch.info, learn-to-fly.info . So, now certbot does not want to "renew", with messages like

Renewing an existing certificate for cfr.pub and 23 more domains
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: learn-to-fly.info
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for learn-to-fly.info - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for learn-to-fly.info - the domain's nameservers may be malfunctioning

which is of course expected. it also prevents renewal of all the other domains. so, I ran

certbot delete

which tells me only cfr.pub of the first of about 20-25 domains. all the other ones that appear when I just type certbot do not show up. I probably just hosed everything with bad tinkering.

at this point, I am thinking that the smart thing would be to scratch whatever I have, and just start over. is there a list of recommended steps? I presume apt remove certbot would be a terrible idea, because there are still fragments in /etc/certbot, entries in the nginx config directory, etc. It would probably hose the hosed setup even further.

pointers appreciated.

barf7709 · January 8, 2023, 3:29am

Was that intentional?
By that I mean are you not wanting to keep that domain?

rg305 · January 8, 2023, 3:43am

It won't fix whatever damage has been done to the web server configuration.
It will likely make no difference at all.
apt remove certbot
apt install certbot
And you will be exactly where you are now.

MikeMcQ · January 8, 2023, 3:50am

You could add this to the renew command for the cert name in question. The risk here is that some other active domain name fails for a transient reason and gets removed from the cert.

That said, this can do what you want

--allow-subset-of-names
When performing domain validation, do not consider it a failure if authorizations can not be obtained for a strict subset of the requested domains. This may be useful for allowing renewals for multiple domains to succeed even if some domains no longer point at this system. This option cannot be used with --csr. (default: False)

From certbot docs
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options

iaw4 · January 8, 2023, 4:24am

PS: my non-renewal was indeed intentional.

thank you. this solved my main problem, which was to renew all the other domains.

(Removing the /etc/nginx/sites-available/ has also removed the warning now.)

regards,

/iaw

rg305 · January 8, 2023, 5:25am

That likely removed all the active [and inactive] web sites on your server.
That's programming... with a chainsaw!
Is there anything left?

iaw4 · January 8, 2023, 6:48am

sorry, I meant I removed the offending file in /etc/nginx/sites-available, not the full dir, of course.

system · February 7, 2023, 6:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.