Certificate mismatch after renewal using webroot


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: smartvibes.be and partneralacarte.be

I ran this command:
certbot certonly --force-renew -d smartvibes.be -d www.smartvibes.be -d partneralacarte.be -d www.partneralacarte.be

It produced this output:

[root@server live]# certbot certonly --force-renew -d smartvibes.be -d www.smartvibes.be -d partneralacarte.be -d www.partneralacarte.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for smartvibes.be
http-01 challenge for www.smartvibes.be
http-01 challenge for partneralacarte.be
http-01 challenge for www.partneralacarte.be

Select the webroot for smartvibes.be:

1: Enter a new webroot

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): /var/www/html/smartvibes.be/

** Invalid input **
Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Input the webroot for smartvibes.be: (Enter ‘c’ to cancel): /var/www/html/smartvibes.be/

Select the webroot for www.smartvibes.be:

1: Enter a new webroot
2: /var/www/html/smartvibes.be

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Select the webroot for partneralacarte.be:

1: Enter a new webroot
2: /var/www/html/smartvibes.be

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Select the webroot for www.partneralacarte.be:

1: Enter a new webroot
2: /var/www/html/smartvibes.be

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/partneralacarte.be/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/partneralacarte.be/privkey.pem
    Your cert will expire on 2018-09-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

My web server is (include version): apache

The operating system my web server runs on is (include version): centos

My hosting provider, if applicable, is: Nucleus

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

So, the certification renewal on smartvibes.be now works just fine.

At partneralacarte.be I get a mismatch error. It says the certificate is assigned to smartvibes.be

Don’t know what to do.
I tried to create a new certificate for partneralacarte but then I receive a certification-week-limit error.
Off course I’d prefer fixing this instead of creating a new certificate.


#2

You’re using the certonly option. That means certbot will only get you the certificate. After you’ve got the certificate, you need to install it in your webserver manually. That also means that if you already installed the certificate, you need to reload it afterwards (which certbot could do if you told it to through one of the hooks.

I’m not sure what you’ve done after the above command (i.e., which certificates you issued afterwards), but you should check the Subject Alternative Names of /etc/letsencrypt/live/partneralacarte.be/fullchain.pem to see if it contains all four FQDNs you require:

openssl x509 -noout -text </etc/letsencrypt/live/partneralacarte.be/fullchain.pem | grep -A4 "Subject Alternative Name"

If it does contain all the relevant FQDNs, you should check your webserver configuration if the virtual hosts point to the right file (i.e., /etc/letsencrypt/live/partneralacarte.be/fullchain.pem).


#3

Thanks Osiris, I ran it without the certonly option and it works great now. Thanks for the help


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.