Error renewing after changing website folder on web server

I create my certificates manually at the command line for each of my client websites using this command:

certbot certonly --webroot -w /home/web/client_01/www -d clientdomain.com,www.clientdomain.com

A few weeks ago I changed the folders for a bunch of client websites, for example: /home/web/client_01/ was changed to /home/web/001/

I was told in a post I made here at the time that I won’t need to revoke and reissue certificates if I just change the name of the website folder, but, it turns out that Certbot is giving me an error now for some of these sites.

Domain: clientdomain.com
Type: unauthorized
Detail: Invalid response from
https://www.clientdomain.com/.well-known/acme-challenge/i3-uAw9hiem36kqvY9_PeO2burX2ypTdwbR1QtIcOp3

When I tried to renew the certificate using the verbose flag, I saw this in the output:

http-01 challenge for clientdomain.com
http-01 challenge for www.clientdomain.com
Using the webroot path /home/web/client_01/www for all unmatched domains.
Creating root challenges validation dir at /home/web/client_01/www/.well-known/acme-challenge
Unable to change owner and uid of webroot directory
Error was: [Errno 2] No such file or directory: ‘/home/web/client_01/www’

It seems that the folder location is stored with the certificate and it appears I do need to reissue the certificate using the new website folder after all.

Do I need to revoke the certificates first, then recreate them? Or can I simply issue this same command with the new folder name to get the old certificate overwritten with the new one?

certbot certonly --webroot -w /home/web/001/www -d clientdomain.com,www.clientdomain.com

My certificates are stored like this:

/etc/letsencrypt/live/clientdomain.com/cert.pem
/etc/letsencrypt/live/clientdomain.com/chain.pem
/etc/letsencrypt/live/clientdomain.com/privkey.pem

If I issue the above command, will that simply replace the certificate files above with new ones, or will it create new certificate files like this:

/etc/letsencrypt/live/clientdomain.com-002/cert.pem
/etc/letsencrypt/live/clientdomain.com-002/chain.pem
/etc/letsencrypt/live/clientdomain.com-002/privkey.pem

I want to avoid that because I have dozens of sites that I will have to recreate certificates for, so if I could at least keep the same certificate file names in /etc/letsencrypt/live/ that would prevent me from also having to modify a bunch of .conf files as well.

Thanks!


My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): CentOS 7.8
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client is: 1.7.0

1 Like

What you can do is perform your renewal as normal, but provide the new webroot.

certbot renew --cert-name clientdomain.com -w /home/web/001

If the renewal succeeds, then the updated webroot will be saved and remembered for next time.

You can also modify it directly in /etc/letsencrypt/renewal/clientdomain.com.conf.

2 Likes

Thank you, editing the domain.conf file worked!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.