Deleted host continues to attempt to renew

Help
#1

My domain is:ncssm.edu

I ran this command:
certbot # interactively, to remove the FQDN my.ncssm.edu, which worked, followed by
certbot --renew # which still attempts to renew my.ncssm.edu

It produced this output: [see below]

My web server is (include version): apache 2.6.4

The operating system my web server runs on is (include version): RHEL 7.9

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.10.1

I have a number of vhosts on a particular machine, all protected with Let's Encrypt certs. I recently moved one vhost (my.ncssm.edu) to another machine, so ran certbot interactively to remove the vhost from the certificates on this machine. I verified that it did not show up in the output, was not challenged, and the new certificates for the remaining vhosts wiere properly deployed.

However, any time certbot renew is run, it continues to try to renew the cert for my.ncssm.edu. The challenge fails. The output from the certbot renew command is:

certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ai.ncssm.edu.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/broadstreetscientific.ncssm.edu.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for ai.ncssm.edu and 12 more domains
Performing the following challenges:
http-01 challenge for my.ncssm.edu
Waiting for verification...
Challenge failed for domain my.ncssm.edu
http-01 challenge for my.ncssm.edu
Cleaning up challenges
Attempting to renew cert (broadstreetscientific.ncssm.edu) from /etc/letsencrypt/renewal/broadstreetscientific.ncssm.edu.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/broadstreetscientific.ncssm.edu/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ai.ncssm.edu/fullchain.pem expires on 2021-04-13 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/broadstreetscientific.ncssm.edu/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

#2

Hi @pmenchini

what says

certbot certificates

There you should see the certificate you don't want to renew.

Triple-check this certificate isn't used.

Use

certbot --delete [certificatename]

to delete the certificate.

1 Like
#3

Juergen,

Thanks, I think you may have hit on the problem. I seem to have 2 certs:

    # certbot certificates
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Found the following certs:
      Certificate Name: ai.ncssm.edu
        Serial Number: 4243ee93b22f9fdfb48feec1a28564f3ccc
        Key Type: RSA
        Domains: ai.ncssm.edu bbsis.ncssm.edu broadstreetscientific.ncssm.edu coursevideos.ncssm.edu faculty.ncssm.edu getgit.ncssm.edu help.ncssm.edu helpdesk.ncssm.edu ithelp.ncssm.edu its-wiki.ncssm.edu morgantonsociety.ncssm.edu mta-sts.ncssm.edu sth.ncssm.edu treecam.ncssm.edu utility0.ncssm.edu wiki.ncssm.edu www.dlt.ncssm.edu
        Expiry Date: 2021-04-13 13:57:31+00:00 (VALID: 89 days)
        Certificate Path: /etc/letsencrypt/live/ai.ncssm.edu/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/ai.ncssm.edu/privkey.pem
      Certificate Name: broadstreetscientific.ncssm.edu
        Serial Number: 3adfacf13f4fb6c9f2f303c00ba583b5ffa
        Key Type: RSA
        Domains: ai.ncssm.edu bbsis.ncssm.edu broadstreetscientific.ncssm.edu coursevideos.ncssm.edu faculty.ncssm.edu getgit.ncssm.edu morgantonsociety.ncssm.edu mta-sts.ncssm.edu my.ncssm.edu sth.ncssm.edu treecam.ncssm.edu utility0.ncssm.edu www.dlt.ncssm.edu
        Expiry Date: 2021-02-01 16:48:56+00:00 (VALID: 19 days)
        Certificate Path: /etc/letsencrypt/live/broadstreetscientific.ncssm.edu/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/broadstreetscientific.ncssm.edu/privkey.pem
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

At one point, broadstreetscientific was the alphabetically first vhost, but then ai came along. It appears that my.ncssm.edu is in the broadstreetscienfic cert.

However, my attempts to delete this obsolete cert fail:

# certbot --delete broadstreetscientific.ncssm.edu
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: broadstreetscientific.ncssm.edu

[How do you format cli commands and output?--can't seem to find the right tool..]

Thanks for your help so far!

Paul

#4

Hello @pmenchini,

Use certbot delete and select the certificate from the list or use certbot delete --cert-name broadstreetscientific.ncssm.edu

Before deleting anything it is a good idea to take a backup :wink:

Cheers,
sahsanu

1 Like
#5

Sahsanu,

Thanks! I guess I got the command syntax wrong. I'm all set.

Appreciate your and Juergen's assistance!

Regards,

Paul

3 Likes
#6

Sorry - happens doing other things - remove the -- :wink:

#7

No worries. I miss 'man certbot', so I poke around with 'certbot --help', but it's not the same.... But, your hit was instrumental in solving my issue!

3 Likes