Having trouble renewing with nginx, random key keeps changing each time

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
sudo certbot renew

It produced this output:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/digitalmarshmellow.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)


My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know):

Lets encrypt needs to do a .well-known in all my subdomains on my cert (why?), but each time I run certbot it generates a new random string of characters to shove in the well-known directory. It doesn’t create them on it’s own though, so I attempt to create the files but each time it’s different… how the hell do I do this?

Hi @EncryptNewbie,

It does create them on its own, but it deletes them right afterward (that is, once the challenge has succeeded or failed). If you want it to pause in the middle for you to take a look, you should be able to use --debug-challenges (I hope this works properly with renew because I’m more accustomed to people using it with certonly).

The most common reason for the error that you’re seeing is that Certbot doesn’t have the current, correct webroot directory for each subdomain. This could happen if you only specified the webroot for one subdomain but not for others, or if the webroot location for any subdomain has changed since the time that you originally got your certificate.

The webroot location or locations that you specified when you first obtained your certificate with Certbot is stored in /etc/letsencrypt/renewal/digitalmarshmellow.com.conf, probably in a webroot_map section, which says which directory Certbot expects to be able to use to create web content under each individual subdomain that the certificate covers. You can also take a look at that and see if it matches your understanding of your current webserver configuration.

This is in order to check that you still control all of these domain names. Certificate authorities are expected to verify that somehow before issuing you a new certificate.

Thank you, it was my config file. I updated the webroot of the various subdomains.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.