There was a software change in Certbot which changed the default method that it uses to prove your control over a domain, so if your Certbot is up-to-date, it’s no longer using the method that it was using at the time of your last renewal. We made this change because the change will become mandatory from the certificate authority side in mid-February and we wanted to give people a chance to fix things before it was mandatory. (You can use the old method just once more with --preferred-challenges tls-sni if you need to renew urgently and are willing to deal with this problem later—but the problem would definitely arise again later in that case.)
(We don’t suggest this to most people who run into this problem unless they say that their sites are already down because using the --preferred-challenges tls-sni fix will bring them right back to the forum with the exact same problem in March, except without that option being available anymore.)
Yes, I removed “/” and everything went fine. Thank you! Btw, one more stupid question - how can I specify “main” domain for my multidomain configuration? Is there an option in the config for that? I mean, at least, to force certbot make directory for tld1.com even if there are tld1.com, tld2.com tld3.com etc…
If you mean the name that appears in /etc/letsencrypt/live and /etc/letsencrypt/renewal, it’s the first name in the original request (unchanged if you then add other domains later).
When requesting a certificate for the first time, you can control it with --cert-name if you want. I don’t think the code in Certbot to rename an existing certificate lineage has been exposed in the user interface.
Yes, I have multiple domains, for example domain1.com, domain2.com and domain3.com and certbot chose one as a primary randomly, for example domain2.com. Afterwards, I added newdomain.com and certbot moved all certs to the new directory, domain3.com. I thought it is intended to be so and created a symlink ) But it is interesting, what logic lies behind that.
It's normally the first domain in your list, but if you request an overlapping or partially overlapping list, there's different logic. The "moved all certs to the new directory" phenomenon would be caused by a partial overlap (e.g. not requesting the www form of one of the existing domains or something).
Don’t know, I never configure it, just observed random domain selection and changes ) Also, it was never clear for me what domain is “first” - it’s neither alphabetical nor creation date order. )
It should be the first one mentioned on the command line with -d, but if you use the interactive selection from a menu instead of -d, I don’t remember which one is considered “first”.
It would be great to have such an option to configure somewhere, preferably in config file.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.