How to change my Certbot certification domain name?

Hello,
I'm using certbot 1.19.0 and I want to change my domain name. For example, my current domain name is "https://example1.com" and I want to change it to "https://example2.com". I did below command:

# certbot --apache -d example1.com -d www.example1.com -d www.example2.com --force-renewal

And I got below error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for example1.com and 2 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.example2.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.example2.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Is this DNS problem related to my Linux server or the domain panel?

Thank you.

Please note that --force-renewal doesn't suddenly force the CA to issue a certificate even if the hostname didn't validate successfully.

This usually is a DNSSEC issue. However, without the actual hostname we can't check this.

2 Likes

I remove --force-renewal option and I got same error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example1.com.conf)

It contains these names: example1.com, www.example1.com

You requested these names for the new certificate: example1.com, www.example1.com,
www.example2.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for example1.com and 2 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.example2.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.example2.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The DNSSEC issue?

Please post the hostname.

Thank you.
My Virtual Host config file is:

# cat wp.conf 
<VirtualHost *:80>

ServerAdmin root@localhost
ServerName www.example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/wordpress
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =example2.com [OR]
RewriteCond %{SERVER_NAME} =www.example2.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect permanent / https://www.example2.com

TraceEnable off
ServerSignature Off

# SSL
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

TimeOut 60
ErrorDocument 500 "Oh sorry dear."


RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
</VirtualHost>

<Directory "/var/www/wordpress">
# Options -Indexes +FollowSymLinks
Options -Indexes
AllowOverride All
Require all granted
</Directory>

<VirtualHost *:80>
    ServerName IP
    Redirect 403 /
    ErrorDocument 403 "Sorry, direct IP access not allowed."
    DocumentRoot /dev/null/
    UseCanonicalName Off
    UserDir disabled
</VirtualHost>

#Disable OPTIONS Method
<Location />
    <LimitExcept GET POST>
        order deny,allow
        deny from all
    </LimitExcept>
</Location>

I did:

# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example2.com
2: www.example2.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for example2.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example2.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example2.com/privkey.pem
This certificate expires on 2021-12-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for example2.com to /etc/httpd/conf.d/wp-le-ssl.conf
Failed redirect for example2.com
Unable to set the redirect enhancement for example2.com.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name example2.com

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Then:

# certbot install --cert-name example2.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for example2.com to /etc/httpd/conf.d/wp-le-ssl.conf
Failed redirect for example2.com
Unable to set the redirect enhancement for example2.com.
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

And:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example2.com
    Serial Number: 3e7316642431fe72e94e8ae42a1e0baf210
    Key Type: RSA
    Domains: example2.com
    Expiry Date: 2021-12-27 11:11:06+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example2.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example2.com/privkey.pem
  Certificate Name: www.example2.com
    Serial Number: 388121053221473f18f4db5ad47ffb48499
    Key Type: RSA
    Domains: www.example2.com
    Expiry Date: 2021-12-27 10:55:55+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.example2.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.example2.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

What is wrong?

You have SSL directives in a port 80 virtualhost, which is bad.

2 Likes

How can I solve it? change port 80 to 443 and retry?

The HTTPS site on port 443 should be in the file /etc/httpd/conf.d/wp-le-ssl.conf, so your wp.conf should not have any reference to SSL related directives. I have no idea how they got there in the first place?

2 Likes

Thank you.
The content of the wp-le-ssl.conf file is:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
SSLEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example2.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example2.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName www.example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/wordpress
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =example2.com [OR]
# RewriteCond %{SERVER_NAME} =www.example2.com [OR]
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect permanent / https://www.example2.com

TraceEnable off
ServerSignature Off

# SSL
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLCertificateFile /etc/letsencrypt/live/www.example2.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example2.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

What is wrong and how can I solve it?

Apart from having two VirtualHosts sections for the same virtual host, I dunno..

I also don't know what your actual issue currently is and it seems you don't want to share the hostnames (which is kinda mandatory on this Community), so I can't check what's wrong with your site.

2 Likes

I don't edited wp-le-ssl.conf file and I never added two VirtualHosts sections!
As I said, I want to change my HTTPS certificate to the new domain name.

Hello,
Why wp-le-ssl.conf file has two VirtualHost section? Can I remove one of them?

Thank you.

I don't know. Looks like they aren't identical and I cannot guess what options your site requires. And why there are 2 sections? Well, perhaps your HTTP VirtualHost was also double? Maybe that's the reason why certbot also build two HTTPS VirtualHost sections..

1 Like

Hello,
My VirtualHost is:

<VirtualHost *:80>
ServerAdmin root@localhost
ServerName www.example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/wp
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =example2.com [OR]
RewriteCond %{SERVER_NAME} =www.example2.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect permanent / https://www.example2.com

TraceEnable off
ServerSignature Off

# SSL
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

TimeOut 60


</VirtualHost>

<Directory "/var/www/wp">
# Options -Indexes +FollowSymLinks
Options -Indexes
AllowOverride All
Require all granted
</Directory>

#Disable OPTIONS Method
<Location />
    <LimitExcept GET POST>
        order deny,allow
        deny from all
    </LimitExcept>
</Location>

What is your opinion?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.