I’ve been using Certbot for years on my domains discchord.com and appkaiju.com. Today I’m launching another site on the same webserver and I’m running into a bizarre error.
However, as soon as I run it without the --dry-run it will only renew the existing domains. It is inconsistent about that too! The first time I tried it renewed www.discchord.comdiscchord.comappkaiju.com … the second time it just renewed appkaiju.com. On none of the attempts did it ever make it to gnubesoft.com. I’m selecting (E) for Expand when asked.
What am I doing wrong? I seem to be on a time-limit for how many times I can run this in 7 days and I’ve already burned 2 attempts.
Thank you very much for any help you can provide! I am so grateful to Let’s Encrypt for this service!
My web server is (include version): Nginx (latest)
The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: Self
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
When I try to add the new domains with certonly I used this: sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com
Here is the result from the first attempt:
tim@Bastet:/var$ sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/appkaiju.com.conf)
It contains these names: appkaiju.com
You requested these names for the new certificate: discchord.com,
www.discchord.com, appkaiju.com, www.appkaiju.com, gnubesoft.com,
www.gnubesoft.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for discchord.com
http-01 challenge for gnubesoft.com
http-01 challenge for www.gnubesoft.com
Waiting for verification...
Cleaning up challenges
Here is the result from the second attempt:
tim@Bastet:/etc/letsencrypt$ sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/appkaiju.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/appkaiju.com/privkey.pem
As you see the second attempt only renewed one of the existing domains.
No, it issued a new certificate with all six names, as shown by “sudo certbot certificates”.
(Issuing a new certificate was unnecessary, since you already had one.)
The “Congratulations!” section of the output is just showing that the directory is named “appkaiju.com”, because Certbot by default names the directory after the first name in the list the first time you created the certificate. It doesn’t reflect.
Certbot only showed three challenges the first time – and none the second time – because it’s not necessary to revalidate names you already have recently validated. It doesn’t mean those names aren’t included in the certificate.
tim@Bastet:~$ sudo certbot delete discchord.com
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: discchord.com
You can set it when creating a certificate, using the --cert-name option, but Certbot doesn't have a command to rename one later. You can do it manually, but it's a little tricky -- you have to rename two directories and one file, edit one file, and edit four symlinks.
E.g. "sudo certbot certonly --cert-name bananas -d example.com -d www.example.com".
Or "sudo certbot certonly --cert-name example.net -d example.com -d www.example.com" if you want to be more confusing.