Error in letsencrypt renew after virtualhost removal on apache


#1

My apache on ubuntu 16.04 is configured to serve 5 virtual SSL sites. Each SSL site is in its own .conf apache file.
I removed one site with the usual procedure for apache: a2dissite site2.mydom.com, restart apache, deleted A record for DNS.
But now, at each letsencrypt renew I get a lot of errors:

2017-01-30 20:22:17,158:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/site1.mydom.com.conf produced an unexpected error: Failed authorization procedure. site2.mydom.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for site2.mydom.com. Skipping.
Processing /etc/letsencrypt/renewal/site3.mydom.com.conf


The following certs are not due for renewal yet:
  /etc/letsencrypt/live/site3.mydom.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/site1.mydom.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: site2.mydom.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for site2.mydom.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

How do I correctly remove site2.mydom.com and stop letsencrypt tool to request a certificate for the disabled site site2.mydom.com ?
Thank you.


#2

You probably generated one certificate for both (i.e., site1 and site2) domains previously?

I’d recommend to generate a new certificate, just for site1. You might want to use --cert-name to keep certbot from generating a new directory in /live/. Note: you’ll have to run quite a recent version of certbot for this, or use certbot-auto (which updates certbot with every time it runs).


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.