Error while auto-renewing with certbot-auto

There are many threads with this same error, which basically makes the website unusable as the certificate is now out of date.

My specific situation is that while trying Lets Encrypt and certbot, I had created a test domain for Our real domain is Now we do not need that older domain. How can I tell the certbot script to NOT include that old domain? I’ve removed it from the conf file.

Error message while renewing:

> Unable to clean up challenge directory /home/thearc/.well-known/acme-challenge
> Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<!DOCTYPE html>...". Skipping.

The text inside my file is as follows:

# renew_before_expiry = 30 days
version = 0.11.1
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = webroot
installer = None
account = 51ab0aa536a6ad6568546ed62976de99
post_hook = service nginx reload
[[webroot_map]] = /home/thearc

The directory /home/thearc (root folder) has 755 chmod-ed .well-known/acme-challenge/ directories. But this doesn’t work, because the cert is outdated now? It shows me the usual Chrome error message as you can see for yourself:

How can I renew this cert? The certbot-auto is fairly useless.

Hi @NearlyNormal,

As you saw, certbot-auto renew tries to get a new cert which is substantially identical to the previous cert. If you no longer control or are simply no longer using one of the domains in the previous cert, that will be an error—the exact error that you encountered.

To change the contents of an existing cert, including which domain names it applies to, you should run certbot certonly with the appropriate details. This replaces the existing cert with one with the new properties that you specify.

In this case you could run

certbot-auto certonly --force-renewal --cert-name -d

The --cert-name option is used here to specify which particular certificate you want to modify. This is mandatory when removing names from an existing cert.

If you wanted other domains to be in the certificate, you could add additional -d options at the end of this command to include them too (for example, perhaps -d to include the www form, if you want). In this case, not specifying -d (the old domain) will result in its being excluded from the new cert.

After you have done this successfully once, future uses of certbot-auto renew would no longer attempt to renew for the old domain that is no longer mentioned in your cert.


Thank you for sharing this. It should be more easily accessible in the documentation. I was trying to find out how to remove a domain name from the scripts that Letsencrypt uses.

I tried the command you helpfully shared. Doesn’t work. Here’s the output:

[root@uzi ~]# /root/certbot-auto certonly --force-renewal --cert-name -d

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host='', port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

I chose option #3 above, because I don’t use Apache, and I’m not sure what a temporary web server is. We are on Nginx.

The log file, if it helps, is:

2017-05-19 11:04:32,097:DEBUG:acme.client:Sending GET request to
2017-05-19 11:04:32,107:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1):
2017-05-19 11:05:17,216:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/", line 742, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/", line 666, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/", line 389, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/", line 230, in __init__
    acme = acme_from_config_key(config, self.account.key)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/", line 44, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/", line 71, in __init__
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/", line 646, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/", line 619, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/", line 499, in send
    raise ReadTimeout(e, request=request)
ReadTimeout: HTTPSConnectionPool(host='', port=443): Read timed out. (read timeout=45)

What now? While I wait for all these technicalities to be resolved, our website is down.

Looks like that domain is down.

curl -I
HTTP/1.1 504 Gateway Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 175
Expires: Fri, 19 May 2017 11:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 19 May 2017 11:14:48 GMT
Connection: keep-alive

It’s stupid. What’s the point of a “free” Service if the service to manage certificates is down, which takes our whole website down and makes it inaccessible. Highly unprofessional.

This error is a result of an ongoing service disruption. Please follow for more information. We should have all of the remaining issues resolved shortly.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.