I need a new certificate for a domain with a new host, how do I generate a new certificate for a domain instead of renewing the certificate with an old host?

I need a new certificate for a domain with a new host, how do I generate a new certificate for a domain instead of renewing the certificate with an old host?

I am using the command:

sudo certbot certonly --manual

Which gives me the option:

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Keep the existing certificate for now

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

Unfortunately this certificate will not work. I need to create a completely new certificate with a new hosting provider. How do I start from scratch?

Hi @Giansonn,

Have you followed the instructions available at https://certbot.eff.org/instructions for your webserver and OS? Are you attempting to generate the certificate for the new host on the new host itself?

Yes I have. I ran

sudo certbot delete

That deleted all files related to the domain. However when I tried to get a new certificate the old certificate was renewed again and that has the wrong domain addresses since it was registered with a different host.

Also I am using letencrypt in manual mode so the webserver and OS dont really matter. I am just doing the acme-challenge…

Hi @Giansonn

looks you are doing something wrong. Using the wrong machine or a configuration with a missing configuration.

Please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

It seems like in this case the certbot delete probably deleted only one of several duplicative certificates, and so another one is still present. A good way to check this is to run certbot certificates.

If my guess is right, certbot delete should be run one or more additional times to remove other unwanted certificates.

Unfortunately too many certificates have been issued so I will have to try this again in a weeks time. I will let you know what happens then but I now know that there are no certificates on file since I checked using the certbot certificates command. I used the certbot delete last time however I cannot be sure if I really deleted everything since I did not check…

Could you show us the current output of this command?

ls -lR /etc/letsencrypt

total 16
-rw-r--r-- 1 root wheel 64 6 Aug 16:48 .updated-options-ssl-apache-conf-digest.txt
drwxr-xr-x 3 root wheel 96 28 Jun 22:45 accounts
drwx------ 2 root wheel 64 6 Aug 18:00 archive
drwxr-xr-x 15 root wheel 480 6 Aug 18:00 csr
drwx------ 15 root wheel 480 6 Aug 18:00 keys
drwx------ 3 root wheel 96 6 Aug 18:00 live
-rw-r--r-- 1 root wheel 1619 6 Aug 16:48 options-ssl-apache.conf
drwxr-xr-x 2 root wheel 64 6 Aug 18:00 renewal
drwxr-xr-x 5 root wheel 160 28 Jun 22:45 renewal-hooks

/etc/letsencrypt/accounts:
total 0
drwxr-xr-x 3 root wheel 96 28 Jun 22:45 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 0
drwx------ 3 root wheel 96 28 Jun 22:45 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 0
drwx------ 5 root wheel 160 28 Jun 22:45 8c181efa2e9771ceef000f3cd8d41355

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/8c181efa2e9771ceef000f3cd8d41355:
total 24
-rw-r--r-- 1 root wheel 88 28 Jun 22:45 meta.json
-r-------- 1 root wheel 1632 28 Jun 22:45 private_key.json
-rw-r--r-- 1 root wheel 78 28 Jun 22:45 regr.json

/etc/letsencrypt/archive:

/etc/letsencrypt/csr:
total 104
-rw-r--r-- 1 root wheel 956 28 Jun 22:46 0000_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 28 Jun 23:35 0001_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 15 Jul 22:45 0002_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 15 Jul 23:01 0003_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 16 Jul 09:51 0004_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 16 Jul 09:55 0005_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 15:30 0006_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 16:12 0007_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 16:42 0008_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 16:45 0009_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 16:48 0010_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 16:49 0011_csr-certbot.pem
-rw-r--r-- 1 root wheel 956 6 Aug 18:00 0012_csr-certbot.pem

/etc/letsencrypt/keys:
total 104
-rw------- 1 root wheel 1708 28 Jun 22:46 0000_key-certbot.pem
-rw------- 1 root wheel 1704 28 Jun 23:35 0001_key-certbot.pem
-rw------- 1 root wheel 1704 15 Jul 22:45 0002_key-certbot.pem
-rw------- 1 root wheel 1704 15 Jul 23:01 0003_key-certbot.pem
-rw------- 1 root wheel 1708 16 Jul 09:51 0004_key-certbot.pem
-rw------- 1 root wheel 1704 16 Jul 09:55 0005_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 15:30 0006_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 16:12 0007_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 16:42 0008_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 16:45 0009_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 16:48 0010_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 16:49 0011_key-certbot.pem
-rw------- 1 root wheel 1704 6 Aug 18:00 0012_key-certbot.pem

/etc/letsencrypt/live:
total 8
-rw-r--r-- 1 root wheel 740 16 Jul 10:41 README

/etc/letsencrypt/renewal:

/etc/letsencrypt/renewal-hooks:
total 0
drwxr-xr-x 2 root wheel 64 28 Jun 22:45 deploy
drwxr-xr-x 2 root wheel 64 28 Jun 22:45 post
drwxr-xr-x 2 root wheel 64 28 Jun 22:45 pre

/etc/letsencrypt/renewal-hooks/deploy:

/etc/letsencrypt/renewal-hooks/post:

/etc/letsencrypt/renewal-hooks/pre:

This is what comes up. Does this look like everything is deleted? I have not run the certbot revoke command this time but I did before and the certificate still renewed automatically.

It does look like everything was deleted successfully. If you run certbot certonly and end up with the “Renewing an existing certificate…” message in this environment (regardless of whether that then produces a rate limit error), I would love to see the associated log from /var/log/letsencrypt!

Could you post the contents of the most recent file in /var/log/letsencrypt?

I have tried open /var/log/letsencrypt but the folder is empty. Can you please proffer me with some terminal code? Sorry to be so useless

There are no hidden files in there when I press cmd + shift + .

Are you running these commands on a local or a remote server?

from my computer at home. I did not think that with --manual you needed to be connected to a server since you use the ‘acme-challenge’ to certify that you have control of the website without having shell access. I do not have shell access so I used --manual

@bmw @joohoi, do you have any ideas how this could be happening?

Is the problem here right now just that we can’t find any logfiles? What are we hoping to see there? My reading of this thread is we’re still waiting for rate limits to expire now that the other certificates in /etc/letsencrypt have been deleted.

If we do want a logfile though, I suspect @Giansonn’s normal user doesn’t have permissions to see /var/log/letsencrypt so when they run open /var/log/letsencrypt, their file manager doesn’t show any contents of the directory.

You can get a list of files by running sudo ls /var/log/letsencrypt/ and print one of the files to the terminal by running a command like sudo cat /var/log/letsencrypt/letsencrypt.log.

Not sure why I wouldnt have permission, I am not saving anything to my webserver since I do not have shell access so everything is on my computer... I would have thought. Anyway sudo ls /var/log/letsencrypt/ brings up the list of logs however sudo ls /var/log/letsencrypt.log.24/ doesnt show me anything. If I try sudo open /var/log/letsencrypt.log.24 I am told I do not have anything that can open the file. (letsencrypt.log.24 appears to be the latest log that I have)

I think the log file is completely empty however. See terminal output:

User's-iMac:~ User$ ls /var/log/letsencrypt/

ls: : Permission denied

User's-iMac:~ User$ sudo ls /var/log/letsencrypt/

Password:

letsencrypt.log letsencrypt.log.17 letsencrypt.log.3

letsencrypt.log.1 letsencrypt.log.18 letsencrypt.log.4

letsencrypt.log.10 letsencrypt.log.19 letsencrypt.log.5

letsencrypt.log.11 letsencrypt.log.2 letsencrypt.log.6

letsencrypt.log.12 letsencrypt.log.20 letsencrypt.log.7

letsencrypt.log.13 letsencrypt.log.21 letsencrypt.log.8

letsencrypt.log.14 letsencrypt.log.22 letsencrypt.log.9

letsencrypt.log.15 letsencrypt.log.23

letsencrypt.log.16 letsencrypt.log.24

User's-iMac:~ User$ sudo cat /var/log/letsencrypt/letsencrypt.log.24

User's-iMac:~ User$ sudo open /var/log/letsencrypt/letsencrypt.log.24

No application knows how to open /var/log/letsencrypt/letsencrypt.log.24.

User's-iMac:~ User$ cat /var/log/letsencrypt/letsencrypt.log.24

cat: /var/log/letsencrypt/letsencrypt.log.24: Permission denied

User's-iMac:~ User$ sudo cat /var/log/letsencrypt/letsencrypt.log.24

User's-iMac:~ User$

here is the output of the second oldest log file:

User's-iMac:~ User$ sudo cat /var/log/letsencrypt/letsencrypt.log.23

2019-06-28 22:45:10,434:DEBUG:certbot.main:certbot version: 0.35.1

2019-06-28 22:45:10,435:DEBUG:certbot.main:Arguments: []

2019-06-28 22:45:10,435:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)

2019-06-28 22:45:10,478:DEBUG:certbot.log:Root logging level set at 20

2019-06-28 22:45:10,480:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

Unfortunately I cannot post the log before that since it appears to show everything I completed in the acme-challenge. Not a huge risk but not really necessary. I will try next week and see if I am still renewing the same certificate.