Invalid certificate after renew



I’m having problems renewing my certificate. I had some problem and tried the --staging flag, but now it seems that I cannot get back to a valid certificate. Maybe someone of you has an idea that would help me.
In short:
certbot certificates: shows a certificate expiring next year, but (INVALID: TEST_CERT)
certbot renew --dry-run: Congratulations, all renewals succeeded. (The test certificates above have not been saved.)
certbot renew: not due for renewal

My domain is:

I ran this command: certbot renew (in different variants)

It produced this output: Success or “Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: You’ve asked to renew/replace a seemingly valid certificate with a test certificate (domains: We will not do that unless you use the --break-my-certs flag!. Skipping.”

My web server is (include version): nginx

I can login to a root shell on my machine (yes or no, or I don’t know): yes

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2019-02-13 17:30:21+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/


Ah, I think I still have the staging environent in the renewal conf… imagine a head hitting a wall here


Hi @ftastisch

there is a Fake LE - certificate installed. So you have already installed the wrong certificate.

And you have an “Internal Server Error” = 500.

You should fix that first.


Please show:


How did you find the internal server error?
Before the old certificate ran out yesterday everything (seemed) to be fine.


Yes, I just noticed it:
server =

I’m having problems finding the correct server though, you would not have link?




My Browser accepts the Fake LE certificate as valide and trusted :wink:

And checked with my own online-tool 301 3.313 A 301 1.670 E 500 0.804 S
Internal Server Error 500 0.673 S
Internal Server Error

that ignores certificate errors and shows the 500.


Now I see the Letsencrypt - certificate.

Created today.

And the Internal server error.


Yes, I managed to renew the certificate. In a backup I found that before the --staging test there was no server in the renewal file. That did the trick.

Now I’ll have to find what I broke while trying to renew the certificate.


Ok, now it’s running again as before. Your tool still shows an error, I’ll try to figure that out.

Thank you for your help!


Yep, if you have a dns entry www.yourdomain, you should create one certificate with two names (non-www and www) and use this.


So basically I could avoid this by either removing the dns entry or removing the certificate and then run someting like:
certbot certonly --webroot -w /var/www/letsencrypt -d -d --rsa-key-size 4096

Or did I miss something?


Or I could simply use --expand, am I right? :wink:


--expand just prevents you from being prompted; you still have to specify all of the names that you want the new certificate to cover.


Ok, that did not work yet as it seems… I’ll keep on reading how to fix it.


Yes, these are the two options.

If you have a www dns entry, a user can use this domain name. So http and https should answer - without a certificate error.

It’s interesting to see that there are big german journals, www works - and non-www has a timeout.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.