I have problems with my cert

Hi all, my website is shanishemer.com but I can’t access www.shanishemer.com
Amazon supporter say: "The cert on your origin isn’t valid for www.shanishemer.com only shanishemer.com"
and “get a new one and re-upload it to your instance”. How I can do it?

I use AWS EC2, Linux

hi @DuongTuGiang

you seem to be using certificates from 3 different providers

You have not renewed your Let’sEncrypt one


1 Like

Yup, it’s not a www mismatch at all.

The certificate that protects the connection between CloudFront and the www subdomain has expired.

Perhaps you do not have a renewal cronjob, or perhaps the renewal failed because you switched to CloudFront, which would break the tls-sni-01 verification method.

Log into your server with a shell and run sudo certbot renew. If that renews your certificates without error you just need to add a daily cronjob to stop it from happening again.

[Edited to remove an incorrect alternate command.]

Hi Patches and ahaw021. thank you for feedback

I try run sudo certbot renew
but it show sudo: certbot: command not found

You might have downloaded a file called certbot-auto somewhere that you would have to execute like:

 sudo ./certbot-auto renew

You might not have used certbot at all. You could have used one of the many other ACME clients.

Hi Patches, thank you for your respons

I sill see sudo: certbot: command not found
Can you give me advice?

In order to renew the certificate using the software that you used before, you’ll need to know what that software is and how you ran it.

You might try locate certbot to see if there is a copy of Certbot anywhere on your server. But do you know whether or not you used Certbot?

Hi, sorry, I dont know use Certbot.
I try locate certbot but still show -bash: locate: command not found

So I’d like to ask again if you have any recollection of how you have this certificate and what you did in order to get the certificate. Did you follow some kind of tutorial to get your certificate?

For searching for Certbot, you could also try

sudo find / -name "*certbot*"

Hi schoen, thank you very much.
the old developer installed it
but now, I stopped working with him.
I try sudo find / -name "*certbot*" , it show

It looks like you have it in /opt/letsencrypt, so you could try sudo /opt/letsencrypt/certbot-auto renew.

Another thing I didn’t think of is history | get certbot to see what Certbot command may have been run in your shell before.

HI @schoen thank you again.
I run sudo /opt/letsencrypt/certbot-auto renew. it show

https://www.shanishemer.com/ still not working

and history | get certbot not working

This is feedback from amazon

what they say is SSL you instal is not good and need instal deferent one
As discussed, your origin configured with cloud-front does not have SSL certificate for www.shanishemer.com. It has certificate for shanishemer.com from Let’s encrypt. Please go ahead and request another one from for www.shanishemer.com as well.

Once certificate for www.shanishemer.com has been installed, we can debug other issues later on.

@Patches, this is a different diagnosis from what you said before—what do you think?

1 Like

I am sorry for my typo; I mean grep certbot instead of get certbot.

1 Like

You had a certificate issued for www in the past, but looking more closely at the CT logs I see it wasn’t renewed in March when the apex domain was renewed. So it appears that you moved servers back in March and this wasn’t set back up correctly, and that’s when your problems started.

Unfortunately the CT logs haven’t caught up yet so I can’t confirm the domain set in the certificate that apparently was recently renewed, and I can’t directly check your server because CloudFront is in the middle.

You most likely just need to expand your current certificate to include the www form of your website to fix your problem. The following command will generate the new certificate you need:

sudo /opt/letsencrypt/certbot-auto run --cert-name shanishemer.com --expand -d www.shanishemer.com

Depending on how your certificate was initially issued, you may also need to run sudo service apache2 reload afterward for Apache to start serving the new certificate, but certbot will most likely do this for you.

1 Like

@Patches, also, this command will not work with a CDN if the original certificate was obtained using --apache or something, because it will try to use TLS-SNI-01, which can’t work behind a CDN.

@DuongTuGiang, you should also show us the output of cat /etc/letsencrypt/renewal/shanishemer.com.conf so that we can see how the certificate was originally obtained.


Yeah. :frowning: I thought they’d already managed to renew once but they’re just not due yet.

Hi @Patches and @schoen, thank you for you time
yes, I just moved hosting to amazon, about 2 months ago

I try history | grep certbot only show

for sudo /opt/letsencrypt/certbot-auto run --cert-name shanishemer.com --expand -d www.shanishemer.com

and I try cat /etc/letsencrypt/renewal/shanishemer.com.conf

@schoen was partially correct. Your first certificate was issued in a manner compatible with CloudFront. I just told you the wrong way to reissue it. :flushed:

The command you want is:

 sudo /opt/letsencrypt/certbot-auto run --cert-name shanishemer.com --expand --webroot -w /var/www/html -d www.shanishemer.com
1 Like