Certificate Renewal

Por favor, preencha todos os campos abaixo para que nós possamos ajudar você. Obs.: você deve indicar seu nome de domínio para receber ajuda. Os nomes de domínio dos certificados emitidos são divulgados nos logs da Transparência de Certificados (por exemplo, crt.sh | example.com). Assim, não indicar seu nome de domínio não o mantém em segredo, mas torna a nossa ajuda mais difícil.

Posso ler respostas em inglês: sim

Meu nome de domínio é: aguiapiscinas.ind.br

Executei esse comando: Certbot renew, certbot -cert-name xxxxxx --force-renewal

Produziu essa saída: prints

Meu servidor web é (com versão): certbot

O sistema operacional no meu servidor web é (com versão): Ubuntu 16

O serviço de hospedagem do meu site (se aplicável) é: OceanDigital

Posso acessar um shell root na minha máquina (sim ou não, ou não sei):Sim

Uso um painel de controle para administrar meu site (não, ou indique o nome e a versão do painel de controle): não

I have an error when I renew my certificate, it does not allow connection for renewal, my file and the error output follow.

1 Like

Hi @danielicaro and welcome to the LE community forum :slight_smile:

First, let me apologize for my use of English.

Please don't use --force-renewal it really doesn't force things to work.
Things should just work; And we are here to help you with doing that.

I see "connection refused" error.
You must have a "working" HTTP server before you can secure it (via HTTP validation).
LE validations can come from anywhere.everywhere on the Internet.
Make sure you aren't doing Geolocation blocking on inbound HTTP connections.
Also, it would be beneficial to handle the HTTP request in HTTP (and not redirect them to HTTPS):

curl -Ii http://aguiapiscinas.ind.br/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx
Location: https://aguiapiscinas.ind.br/.well-known/acme-challenge/Test_File-1234

Sorry, I didn't understand the commands you gave.

1 Like

Which "commands" are you referring to?

  1. You must have a "working" HTTP server before you can secure it (via HTTP validation).
  2. Make sure you aren't doing Geolocation blocking on inbound HTTP connections.
  3. it would be beneficial to handle the HTTP request in HTTP (and not redirect them to HTTPS)
  4. curl -Ii http://aguiapiscinas.ind.br/.well-known/acme-challenge/Test_File-1234

Note: #4 was just for "show" (not something you should do)
[It showed how the HTTP request is being redirected to HTTPS]


A question, where can I update the data from API, I see my hostname is out of date

I don't understand your question.

1 Like

type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://xxxxxxxxxxxxxx/.well-known/acme-challenge/GbRu6nCGBylCyuSmFQ3qjQ9m6smvtLbpMQaDRqEYl6s: Connection refused",
"status": 400
"url": "https://acme-v02.api.letsencrypt.org/acme/xxxxxxxxxxxx",
"token": "Gxvcvcxvxcvcx",
"validationRecord": [
"url": "http://xxxxxxxxxxxxxxxx/.well-known/acme-challenge/Gl6s",
"hostname": "xxxxxxxxx.com", -> exchange this information
"port": "80",
"addressesResolved": [
"addressUsed": "xxxx"
"validated": ""

I need to change this information, where can I get it?

The hostname is taken from your own certbot request.
If you say:
certbot ... -d EXAMPLE.COM
LE will try to validate to:


one question, how do I make a domain use the certificate of another?

for example

www.teste.inf.br, www.testebr.com.br

the .com.br use the certificate o inf.br

You must get a certificate that has the name of the site being reached.
If anyone with be reaching the same site via multiple names, then you will need all those names on the cert.

1 Like

so i have to have a certificate for each name? I can't have 1 certificate with multiple names, is that it?

SNI can handle multiple names being served from a single IP.
The TLS constraint is that whatever names are in the vhost config must all be served by its' cert.
[the name(s) being served by the vhost config must be a subset of the list of names (SAN) in that cert]
So that once the name is matched to a vhost, that vhost must have a cert that covers that name.
If you make one vhost config for each name, then you can have one cert for each name.
It's not possible to make vhost configs that use multiple certs (with different names).
[so it's not possible to make one vhost that covers ten names and then try to fit ten certs into that vhost]
It is possible to make one cert that has all the names; And that same cert can be used by all the vhosts.


First sorry for the question, but where do I find the list of names (SAN) to be able to change or pass new names

You create the cert, you control the contents of the SAN.
If you want to review a cert already created, there are many ways to do that; The simplest being to "inspect the cert" and look at the Subject Alternat Names (SAN) field.
Here is a picture of the cert being used by this site:

1 Like

I don't think you understand, where can I pass this information, where do I pass these names? Which file contains them?

another question, in this print you sent has applicant, is this a random name or where he will get the certificate, for example, the site is teste.com and the name in applicant has to be teste.com or can it be test?

When you create the cert.
with certbot you would use:
-d "domain1.com,www.domain1.com,domain2.com,www.domain2.com,..."

Look at the output of:
certbot certificates

1 Like

it's really confusing for me, the print follows, the applicant's name is a name that is not in my domain, when I try to renew the certificate it's giving an error precisely in this .com domain, I wanted to know how to change it

And who setup certbot?

1 Like

an old company, I've never worked with certbot, so the difficulty and the certificate won and I'm having a lot of trouble renewing it.

Start here:

1 Like