How to setup certbot correctly

Help
1

My domain is:
lessingstr.srvdns.de
audiobookshelf.lessingstr.srvdns.de

I ran this command:
certbot renew -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/lessingstr.srvdns.de.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for lessingstr.srvdns.de and audiobookshelf.lessingstr.srvdns.de
Performing the following challenges:
http-01 challenge for audiobookshelf.lessingstr.srvdns.de
http-01 challenge for lessingstr.srvdns.de
Cleaning up challenges
Failed to renew certificate lessingstr.srvdns.de with error: Missing command line flag or config entry for this setting:
Input the webroot for audiobookshelf.lessingstr.srvdns.de:

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/lessingstr.srvdns.de/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx:latest (Docker)

The operating system my web server runs on is (include version):
6.12.47+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.47-1+rpt1 (2025-09-16) aarch64

My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes, well sudo user

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): [certbot/certbot:latest]

So, the setup is this:
srvdns.de is a dyndns-Provider.
I have the two domainnames, so nginx as reverse-proxy can redirect traffic based on the domainname to different docker containers on the raspi. I actually don't care if both domains use the same certificate or different ones, but the current config is for one certificate.

The whole issue process worked in August. But now the certificate is out-of-date for a while and I can't renew it.

The config file looks like this:

renew_before_expiry = 30 days

version = 4.2.0
archive_dir = /etc/letsencrypt/archive/lessingstr.srvdns.de
cert = /etc/letsencrypt/live/lessingstr.srvdns.de/cert.pem
privkey = /etc/letsencrypt/live/lessingstr.srvdns.de/privkey.pem
chain = /etc/letsencrypt/live/lessingstr.srvdns.de/chain.pem
fullchain = /etc/letsencrypt/live/lessingstr.srvdns.de/fullchain.pem

Options used in the renewal process

[renewalparams]
account =
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[acme_renewal_info]
ari_retry_after = 2025-12-03T11:35:37
[webroot_map]
lessingstr.srvdns.de = /var/www/certbot
audiobookshelf.lessingstr.srvdns.de = /var/www/certbot

The last three lines I added, since the error told me, the webroot-config for audiobookshelf.lessingstr.srvdns.de was missig. The webroot should be identical, since the nginx config for port 80 is as follows:
server {
listen 80;
listen [::]:80;
server_name lessingstr.srvdns.de audiobookshelf.lessingstr.srvdns.de;
server_tokens off;
#Die Location well-known wird durchgelassen, für certbot / letsencrypt
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://lessingstr.srvdns.de$request_uri;
}
}

Does anyone have any idea, what the problem could be?
Thanks.
Best regards
Heinrich

3

Okay, I ran certbot with the 'certonly' argument and setup the whole thing again, and it created a certificate and after restarting nginx it worked fine.

The new renewal file now looks like this:

renew_before_expiry = 30 days

version = 5.1.0
archive_dir = /etc/letsencrypt/archive/lessingstr.srvdns.de
cert = /etc/letsencrypt/live/lessingstr.srvdns.de/cert.pem
privkey = /etc/letsencrypt/live/lessingstr.srvdns.de/privkey.pem
chain = /etc/letsencrypt/live/lessingstr.srvdns.de/chain.pem
fullchain = /etc/letsencrypt/live/lessingstr.srvdns.de/fullchain.pem

Options used in the renewal process

[renewalparams]
account =
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
audiobookshelf.lessingstr.srvdns.de = /var/www/certbot
lessingstr.srvdns.de = /var/www/certbot
[acme_renewal_info]
ari_retry_after = 2025-12-03T11:35:37
[[webroot_map]]
lessingstr.srvdns.de = /var/www/certbot
audiobookshelf.lessingstr.srvdns.de = /var/www/certbot

with the [[webroot_map]] section appearing twice. Is this intended?
Will the renewal work in February?

4

To test the renewal use: sudo certbot renew --dry-run
It will not affect your production certs.

Often with certonly we recommend using --deploy-hook to reload services that use the cert. You can add one using the Certbot reconfigure command. See: sudo certbot --help reconfigure

As for appearing twice ... did you delete that Certbot cert and start over fresh? Because if you just re-ran certonly maybe it fixed your prior incorrect map (with just single brackets surrounding the header) and added one of its own.

Modifying Certbot's renewal conf file by hand is not recommended. Sometimes minor differences can have big effects.

Below is a renewal conf using webroot for a single domain name I just did with Certbot v5.1

version = 5.1.0
archive_dir = /etc/letsencrypt/archive/www.example.com
cert = /etc/letsencrypt/live/www.example.com/cert.pem
privkey = /etc/letsencrypt/live/www.example.com/privkey.pem
chain = /etc/letsencrypt/live/www.example.com/chain.pem
fullchain = /etc/letsencrypt/live/www.example.com/fullchain.pem
[renewalparams]
account = (redacted)
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
www.example.com = /var/www/html
2 Likes