Deleting old domain broke renewal

Riek_lt · October 29, 2019, 8:34am

Hey, I deleted the certs for beneluxsg.org (in /etc/letsencrypt/renewal), to only go on with bsgmarathon.com, and now renewal fails because it can't find the records for the old domain. How do I get rid of it :o

My domain is: bsgmarathon.com (with deleted beneluxsg.org)

I ran this command: certbot renew

It produced this output:

Attempting to renew cert (bsgmarathon.com) from /etc/letsencrypt/renewal/bsgmara thon.com.conf produced an unexpected error: Failed authorization procedure. bene luxsg.org (http-01): urn:acme:error:dns :: No valid IP addresses found for benel uxsg.org, www.beneluxsg.org (http-01): urn:acme:error:dns :: DNS problem: NXDOMA IN looking up A for www.beneluxsg.org. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bsgmarathon.com/fullchain.pem (failure)

And after editing /etc/letsencrypt/renewal/bsgmarathon.com.conf to delete home folders

Attempting to renew cert (bsgmarathon.com) from /etc/letsencrypt/renewal/bsgmara thon.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for beneluxsg.org:
Choices: ['Enter a new webroot', '/var/www/html']

(You can set this with the --webroot-path flag). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bsgmarathon.com/fullchain.pem (failure)

My web server is (include version): Nginx/1.10.1

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Transip

I can login to a root shell on my machine (yes or no, or I don't know): Account with sudo privileges

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

JuergenAuer · October 29, 2019, 9:00am

Hi @Riek_lt

checking your domain there is already a new certificate with the correct domain names - https://check-your-website.server-daten.de/?q=bsgmarathon.com#ct-logs

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2019-10-28	2020-01-26	bsgmarathon.com, www.bsgmarathon.com - 2 entries	duplicate nr. 1

But you don't use it, instead, you use the expired certificate

CN=beneluxsg.org
	29.07.2019
	27.10.2019
2 days expired	beneluxsg.org, bsgmarathon.com, 
www.beneluxsg.org, www.bsgmarathon.com - 4 entries

So first step: What says

nginx -T

Cleanup your vHost, so the 2 not longer used domain names are removed.

Then try to reinstall the certificate

certbot -d bsgmarathon.com -d www.bsgmarathon.com --reinstall

Certbot should find the correct certificate. If your vHost configuration is correct, that should work.

Riek_lt · October 29, 2019, 9:42am

Hey @JuergenAuer, thanks for the fast reply, good to know that the problem was different from what I originally thought.

There is no mention of beneluxsg.org in the output of nginx -T, since I did clean that up from /etc/nginx/sites-available/default.

Whenever I try to reinstall the certificate, this is my output

$ sudo certbot -d bsgmarathon.com -d www.bsgmarathon.com --reinstall
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/sites-enabled/default:187
Rolling back to previous server configuration...
nginx restart failed:
b''
b''

Line 187 in default points to the end of the file, with only a commented-away Vhost for example.com.
See default file here: https://pastebin.com/dJrfbqfE
Other files in the folder are default.dpkg-dist and nextcloud, all without any mention of beneluxsg.org

JuergenAuer · October 29, 2019, 9:56am

That's curious.

Perhaps update your Certbot.

Oh - what's that? You have a port 443 SSL vHost - but there is no certificate file. So add the two required rows manual.

certbot certificates

should list the files.

Riek_lt · October 29, 2019, 10:09am

The problem is solved, thanks!
The certificate files were in /etc/nginx/snippets/bsgmarathon.com.comf, everything worked out when I pointed it to the new certificate bsgmarathon.com-0001.

Thanks a bundle

system · November 28, 2019, 10:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.