Certificate renewal issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: laradenaro.com & www.laradenaro.com

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d laradenaro.com --dry-run

It produced this output:

Blockquote

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for laradenaro.com
Performing the following challenges:
http-01 challenge for laradenaro.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain laradenaro.com
http-01 challenge for laradenaro.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: laradenaro.com
    Type: unauthorized
    Detail: 2001:4860:4802:36::15: Invalid response from
    https://www.laradenaro.com: "<html
    lang="en-gb"><meta charset="utf-8"><meta
    http-equiv="X-UA-Compatible" content="IE=edge"><meta name="v"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Blockquote

My web server is (include version): nginx 1.18.0-6.1

The operating system my web server runs on is (include version): Rasbian 11 32 bit

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

I'm not quite certain whether I have a problem here or not! When I initially set up the server I got two certificates: laradenaro.com and www.laradenaro.com. On attempting to renew, laradenaro.com fails but www.laradenaro.com succeeds. The output of "cerbot certificates' now gives me:

Blockquote
Found the following certs:
Certificate Name: laradenaro.com
Serial Number: 3760162092d15ddb336723c08259ef02d75
Key Type: RSA
Domains: laradenaro.com www.laradenaro.com
Expiry Date: 2022-06-20 10:00:40+00:00 (VALID: 3 days)
Certificate Path: /etc/letsencrypt/live/laradenaro.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/laradenaro.com/privkey.pem
Certificate Name: www.laradenaro.com
Serial Number: 3cf64476a8d5da34466034c6f62d63edfa3
Key Type: RSA
Domains: www.laradenaro.com
Expiry Date: 2022-09-14 10:55:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.laradenaro.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.laradenaro.com/privkey.pem

Blockquote

I wonder if it is something to do with a redirect from laradenaro.com to www.laradenaro.com? The question is: am I likely to have a problem in 3 days time or will the single new certificate suffice? Any advice much appreciated :slight_smile:

Hi @ken30, and welcome to the LE community forum :slight_smile:

Yes, I think it is.

Name:      laradenaro.com
Addresses: 2001:4860:4802:34::15
           2001:4860:4802:36::15
           2001:4860:4802:38::15
           2001:4860:4802:32::15
           216.239.34.21
           216.239.36.21
           216.239.38.21
           216.239.32.21
Name:    www.laradenaro.com
Address: 81.131.95.46

Try:
sudo certbot renew
OR
sudo certbot certonly --webroot -w /var/www/html -d www.laradenaro.com

If either succeeds, show:
certbot certificates

1 Like

Many thanks for the rapid reply.

certbot renew fails for laradenaro.com but shows www.laradenaro.com as previously renewed.

certbot certonly (as a dry-run) similarly fails for laradenaro.com but is successful for www.laradenaro.com.

The output of certbot certificates is:
Found the following certs:
Certificate Name: laradenaro.com
Serial Number: 3760162092d15ddb336723c08259ef02d75
Key Type: RSA
Domains: laradenaro.com www.laradenaro.com
Expiry Date: 2022-06-20 10:00:40+00:00 (VALID: 3 days)
Certificate Path: /etc/letsencrypt/live/laradenaro.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/laradenaro.com/privkey.pem
Certificate Name: www.laradenaro.com
Serial Number: 3cf64476a8d5da34466034c6f62d63edfa3
Key Type: RSA
Domains: www.laradenaro.com
Expiry Date: 2022-09-14 10:55:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.laradenaro.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.laradenaro.com/privkey.pem

1 Like

OK.
You have a choice:

  • use the second cert for the "www" name only
    [and delete the first cert]

  • undo the redirection at the domain registrar
    then renew the first cert and use both names
    [and you do the redirection yourself within the server and delete the second cert]

2 Likes

Thanks for the advice - I'll do the latter.

2 Likes

To delete the second cert use:
certbot delete --cert-name www.laradenaro.com

3 Likes