How to renew 4 domains only from a 5 domains SAN certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

We have 5 domains with pointing to the same IP and all 5 domains share a certificate.
Now I removed this-is-not-wix.com from the IP address. I want to renew my cert for my domains other than this-is-not-wix.com. Please advise.

My domain is: webplus.solutions

I ran this command: certbot renew --dry-run

It produced this output:
Attempting to renew cert (webplus.solutions) from /etc/letsencrypt/renewal/webplus.solutions.conf produced an unexpected error: Failed authorization procedure. this-is-not-wix.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for this-is-not-wix.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/webplus.solutions/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/webplus.solutions/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

One way to do this is to renew once using --allow-subset-of-names.

This will renew the certificate only with the names that successfully pass validation, and the failing domains will be permanently removed from the certificate.

The other way to do this is to create a new certificate, but use the same certificate name.

First you would find your certificate name by running:

certbot certificates

and then you’d create a new certificate like so (substituting NAME for the name you found):

certbot --apache --cert-name NAME \
-d domain1 -d domain2 -d domain3 -d domain4
5 Likes

Hi _az, thanks much for your quick replay and your suggestion solved my problem. I used the following command:
certbot renew --force-renewal --allow-subset-of-names

Now the 4 certs are renewed.

Thank you!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.