Certicate is not valid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
/snap/bin/certbot renew --allow-subset-of-names

It produced this output:
Processing /etc/letsencrypt/renewal/scineuromodulation.com.conf

Certificate not yet due for renewal

My web server is (include version):
Ubuntu 20.04 nginx

The operating system my web server runs on is (include version):
nginx/1.18.0 (Ubuntu)

My hosting provider, if applicable, is:
google cloud

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.7.0

www and base domain is different thing, get a new certificate with both www version and without www


There is both www and bare domain in the config. That site has been using cerbot for several years, with no issues. Until now. I got an email from 'Let's Encrypt Expiry Bot' . The cert was renewed on Sept 20.

when I connect https://www.sci~~~~.com servers certificate it just for scineuromodulation.com, and doesn't cover www.scineuromodulation.com your last cerficiate from 2023/8/1 did cover both but newest certificate on 2023/9/30 doesn't


How to fix?

" /etc/letsencrypt/live/scineuromodulation.com/fullchain.pem expires on 2023-12-29 (skipped)"

create a new certificate
certbot --nginx -d name1 -d name2


I get this when I run that:

(U)pdate key type/(K)eep existing key type:

I don't what it wants?

An RSA certificate named scineuromodulation.com already exists. Do you want to
update its key type to ECDSA?

If answer yes, it just keeps saying the same thing:

(U)pdate key type/(K)eep existing key type: ECDSA
(U)pdate key type/(K)eep existing key type: yes
(U)pdate key type/(K)eep existing key type: YES
(U)pdate key type/(K)eep existing key type: y
(U)pdate key type/(K)eep existing key type:

not much matter, toss a coin or keep it


how so? What is the right answer? I don't care about ECDSA.

Please show the output of the command:

sudo certbot certificates

Sounds like you have multiple certificates and your webserver is using the incorrect one.


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: assentushealth.com
Serial Number: 4880b622e5a6d483c7ce8f4d7e3b816a563
Key Type: RSA
Domains: assentushealth.com www.assentushealth.com
Expiry Date: 2023-12-02 06:11:44+00:00 (VALID: 52 days)
Certificate Path: /etc/letsencrypt/live/assentushealth.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/assentushealth.com/privkey.pem
Certificate Name: lakejericho.com
Serial Number: 4b4eecaa3b6fabeadb48e5509c60f043bdd
Key Type: RSA
Domains: lakejericho.com www.lakejericho.com
Expiry Date: 2023-12-10 05:06:15+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/lakejericho.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lakejericho.com/privkey.pem
Certificate Name: lorialdrycleaners.com
Serial Number: 4af887c26f95d078397f9081e1140236f82
Key Type: RSA
Domains: www.lorialdrycleaners.com
Expiry Date: 2023-11-23 10:38:05+00:00 (VALID: 43 days)
Certificate Path: /etc/letsencrypt/live/lorialdrycleaners.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lorialdrycleaners.com/privkey.pem
Certificate Name: recoverytapers.org
Serial Number: 352ab47b1144d9dd53ecddba0a95c902443
Key Type: RSA
Domains: recoverytapers.org www.recoverytapers.org
Expiry Date: 2023-12-16 05:01:47+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/recoverytapers.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/recoverytapers.org/privkey.pem
Certificate Name: scineuromodulation.com
Serial Number: 332f07cad539194ec943842671d3d370437
Key Type: RSA
Domains: scineuromodulation.com
Expiry Date: 2023-12-29 05:04:13+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/scineuromodulation.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/scineuromodulation.com/privkey.pem

So it looks like you don't have a certificate valid for scineuromodulation.com currently any longer. You used to have that tho, see crt.sh | scineuromodulation.com. For some reason the www part got removed. Using --allow-subset-of-names might have caused that.

I agree with @orangepizza that getting a new certificate with both hostnames is the way to go now. Answering "yes" or "no" to a "do you want oranges or apples?" is not the correct answer by the way. Certbot was asking you to update, by answering with a "U" or to keep the current key type by answering with a "K". Not yes/no.


That did it! Thx!



In this case, I think @Osiris was saying that you might have created this discrepancy by using --allow-subset-of-names in the past, and not suggesting that you use it now in order to fix the discrepancy.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.