Inconsistent Results with Multiple Domains

I’ve been using Certbot for years on my domains discchord.com and appkaiju.com. Today I’m launching another site on the same webserver and I’m running into a bizarre error.

If I do:
sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com --dry-run

Everything works as expected:
http-01 challenge for appkaiju.com
http-01 challenge for discchord.com
http-01 challenge for gnubesoft.com
http-01 challenge for www.appkaiju.com
http-01 challenge for www.discchord.com
http-01 challenge for www.gnubesoft.com
Waiting for verification…
Cleaning up challenges

However, as soon as I run it without the --dry-run it will only renew the existing domains. It is inconsistent about that too! The first time I tried it renewed www.discchord.com discchord.com appkaiju.com … the second time it just renewed appkaiju.com. On none of the attempts did it ever make it to gnubesoft.com. I’m selecting (E) for Expand when asked.

What am I doing wrong? I seem to be on a time-limit for how many times I can run this in 7 days and I’ve already burned 2 attempts.

Thank you very much for any help you can provide! I am so grateful to Let’s Encrypt for this service!


My web server is (include version): Nginx (latest)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

What were the exact commands you ran and their complete output?

What does “sudo certbot certificates” show?

Does “sudo certbot renew --dry-run” or “sudo certbot renew” work?

For the “sudo certbot certificates” I got:

Found the following certs:
  Certificate Name: appkaiju.com
    Domains: discchord.com appkaiju.com gnubesoft.com www.appkaiju.com www.discchord.com www.gnubesoft.com
    Expiry Date: 2019-09-30 22:55:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/appkaiju.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/appkaiju.com/privkey.pem
  Certificate Name: discchord.com
    Domains: discchord.com
    Expiry Date: 2019-08-25 13:26:50+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/discchord.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/discchord.com/privkey.pem
  Certificate Name: www.appkaiju.com
    Domains: www.appkaiju.com
    Expiry Date: 2019-09-04 09:08:00+00:00 (VALID: 63 days)
    Certificate Path: /etc/letsencrypt/live/www.appkaiju.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.appkaiju.com/privkey.pem
  Certificate Name: www.discchord.com
    Domains: www.discchord.com
    Expiry Date: 2019-09-29 22:38:38+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.discchord.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.discchord.com/privkey.pem

When I try to add the new domains with certonly I used this:
sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com

Here is the result from the first attempt:

tim@Bastet:/var$ sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/appkaiju.com.conf)

It contains these names: appkaiju.com

You requested these names for the new certificate: discchord.com,
www.discchord.com, appkaiju.com, www.appkaiju.com, gnubesoft.com,
www.gnubesoft.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for discchord.com
http-01 challenge for gnubesoft.com
http-01 challenge for www.gnubesoft.com
Waiting for verification...
Cleaning up challenges

Here is the result from the second attempt:

tim@Bastet:/etc/letsencrypt$ sudo certbot certonly -d discchord.com -d www.discchord.com -d appkaiju.com -d www.appkaiju.com -d gnubesoft.com -d www.gnubesoft.com

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/appkaiju.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/appkaiju.com/privkey.pem

As you see the second attempt only renewed one of the existing domains.

No, it issued a new certificate with all six names, as shown by “sudo certbot certificates”.

(Issuing a new certificate was unnecessary, since you already had one.)

The “Congratulations!” section of the output is just showing that the directory is named “appkaiju.com”, because Certbot by default names the directory after the first name in the list the first time you created the certificate. It doesn’t reflect.

Certbot only showed three challenges the first time – and none the second time – because it’s not necessary to revalidate names you already have recently validated. It doesn’t mean those names aren’t included in the certificate.

Hi @TimWebb

additional: If you use one certificate with all domain names,

you should delete your other certificates:

So you don’t renew certificates you don’t use.

certbot delete [certificatename]

Oh! Wow, that confused me. Is there a way to set the name Certificate Name to avoid confusion in the future?

You can create one certificate per domain.

Certificate name: www.discchord.com, domains www.discchord.com + discchord.com.

That per domain.

Or you use one certificate with different domain names, then you have only one certificate name. But you shouldn’t mix these two types.

Alright, thanks a lot for all of the help!

BTW, for future reference:

certbot delete [certificatename]

Does not work. I had to do certbot delete, and that brought up a menu for me to select them one by one.

Don’t include the square brackets in the command.

No shit.

I’m not that dumb… :wink:

tim@Bastet:~$ sudo certbot delete discchord.com
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: discchord.com

It’s actually “sudo certbot delete --cert-name discchord.com”.

You can set it when creating a certificate, using the --cert-name option, but Certbot doesn’t have a command to rename one later. You can do it manually, but it’s a little tricky – you have to rename two directories and one file, edit one file, and edit four symlinks.

E.g. “sudo certbot certonly --cert-name bananas -d example.com -d www.example.com”.

Or “sudo certbot certonly --cert-name example.net -d example.com -d www.example.com” if you want to be more confusing.

another good command to use is
sudo certbot --help delete

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.