Https:// works but doesn't

My domain is:
I ran this command:
certbot certonly --agree-tos -n -m $email --webroot -w /opt/web/mybase/webapps/ -d
It produced this output:

My web server is (include version):
Jetty 11
The operating system my web server runs on is (include version):
Debian Buster
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.17.0

Hello works as expected but doesn't work, I get the error SEC_ERROR_REVOKED_CERTIFICATE. I set a redirect rule in my DNS zone but it doesn't help. Do I need to create a certificate supporting both and to make it work? If so, can I use the same web root for and
certbot certonly --agree-tos -n -m $email --webroot -w /opt/web/mybase/webapps/ -d -w /opt/web/mybase/webapps/ -d


The two sites are being hosted at two different IPs (using two different certs):


4 Likes uses a web redirection to in the DNS zone, that's why you see I wanted to simplify my deployment by having a single SSL certificate for, am I on the wrong way? Do I need two certificates, i.e one for the www subdomain and another one for the domain without subdomain?


No, continue.

As long as they are being hosted in separate systems, yes.

The problem is that the "www" site now has a certificate that has been revoked:
SSL Server Test: (Powered by Qualys SSL Labs)


What you did for your was to make it an alias of Gandi's hosting redirect without indicating your domain name in that path. Gandi is your registrar/hosting provider. You cannot create a cert for them. :slight_smile:
Create a new certificate containing both and and use certbot to delete the original cert, or amend your existing cert by adding the www version of your domain. Use as the IP for those.

Last Result: - 2021-07-29 07:38:26


Should I remove the web redirection at least for https in this case?

Is it the right way to create a single SSL certificate including the www version of my domain?
certbot certonly --agree-tos -n -m $email --webroot -w /opt/web/mybase/webapps/ -d -w /opt/web/mybase/webapps/ -d
I'd like to avoid using a wildcard certificate because it seems to be over-complicated for a single subdomain and it would drive my script not registrar agnostic (i.e the DNS plugins for Certbot are specific to the registrars).


It was (probably?) automatically created by the Gandi system, I could only revoke it in its control panel. I'll ask Gandi to delete it.


I've just found this good example in the documentation:
certbot certonly --webroot -w /var/www/example -d -d

It seems to do what I really want, a single web root, a single SSL certificate for the domain alone and the domain with the www subdomain. I'll give it a try as soon as possible.


You would also need to update the DNS records to point only to your new IP.


Do you mean that I have to add an A record for www pointing to my static public IP address?

I plan to remove the CNAME record pointing to and the web redirection as suggested by an employee of Gandi's customer service. I'll manage the redirection and rewriting rules carefully on my own.


I don't know what you have, so I can't say with any certainty.
But I know what I do see - two names returning two different IPs.
HTTP validation will go to the IP resolved.
(without correct redirection) That means you won't be able to validate both IPs from any one single IP.
And I think that is where this fails - the redirection is incompatible with the expected. redirects to
Where is expected.


My zone file looks like this:

@ 86400 IN SOA 1627509973 10800 3600 604800 10800
@ 10800 IN A
@ 10800 IN MX 10
@ 10800 IN MX 50
@ 10800 IN TXT "v=spf1 ?all"
_imap._tcp 10800 IN SRV 0 0 0   .
_imaps._tcp 10800 IN SRV 0 1 993
_pop3._tcp 10800 IN SRV 0 0 0   .
_pop3s._tcp 10800 IN SRV 10 1 995
_submission._tcp 10800 IN SRV 0 1 465
gm1._domainkey 10800 IN CNAME
gm2._domainkey 10800 IN CNAME
gm3._domainkey 10800 IN CNAME
webmail 10800 IN CNAME
www 10800 IN CNAME

I've just removed the line causing a redirection to the parking page (the last one) and I've added an A record for www. Now, I get an error SSL_ERROR_BAD_CERT_DOMAIN. I need to add www into the single SSL certificate.

1 Like

How can I programmaticly get this information? It would help me to indicate the user of my script that there's a parking page on her/his way.

1 Like

Using any DNS tool.


I succeeded in revoking the certificate. Then, I tried to ask for a new one but including www, it failed the very first time because I forgot to modify the virtual host for www, I retried to ask for a new certificate but it failed again with the error message "live directory exists for", I deleted /etc/letsencrypt/live/ and it helped me to get a new certificate but now, the files are stored into subdirectories named "" instead of "" which breaks my script. How can I get back to the previous behaviour without reinstalling everything from scratch?

This is my change in my script, which works as expected:

This is the whole script:

I'd prefer avoiding to have to "guess" the subdirectory names. There are some options to force which subdirectories to use but might it break certbot in my case? I expected it would use instead of

1 Like

Why revoke?
Revoking wastes LE resources and should only be used when there has been a compromised private key.
You should probably have used: certbot delete

Please don't delete files or folder within the /etc/letsencrypt/ path.
There are plenty of commands to instruct certbot` to do whatever you need.

Again, you should NOT have tried to "fix" this manually.

You would need to certbot delete any certificates that you don't need.
Then recreate a new cert with both domain names on it and pass it the --cert-name to put the new cert in the path you need.


Yes I deleted it manually, I did a mistake. When I revoked the certificate with certbot revoke, it asked me whether I wanted to delete it too, I answered yes but when I asked for a new certificate, I got the error message about "live".

Ok, I'm going to use certbot delete right now and then I'll force the certificate name. Thank you so much for your valuable help.


Before getting the new cert.
And after deleting those you don't need.
Check the output of:
certbot certificates

and make sure the cert-name you want to use isn't still being used.
If so, then you should also delete that one too.


Yes, I asked certbot to delete the old certificate named "" too, it deleted both "" and "" despite displaying the error message "An unexpected error occurred:
TypeError: remove: path should be string, bytes or os.PathLike, not NoneType"

It works like a charm now, thank you.

To sum up a bit, I had to get rid of the web redirection because I can't obviously generate a certificate for my registrar, I had to get rid of the parking page of my registrar but without using its web redirection by removing its CNAME record in my DNS zone file, I had to add my own A record for the subdomain named "www" to replace its parking page, I had to delete my certificate covering only my domain name but not including "www" and finally, I had to modify my virtual host for "www" and I asked for a new certificate including my domain name with and without www.

By the way, your suggestions were extremely helpful and drove my script more robust :slight_smile: Thanks again. Let's Encrypt rocks.


If you don't mind, I'd like to do you the favor of making sure there are no boggarts in your configuration:

What are the outputs of:

sudo ls -lRa /etc/letsencrypt
sudo certbot certificates

Please put 3 backticks above and below each output, like this: