Is the old domain name directly revoked or deleted?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.example.com

I ran this command:

It produced this output:

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The situation is this:

Letsencrypt does not have a wildcard certificate. The home page of my website shows that the CA certificate is in the form of www.example.com. After the distribution certificate is issued by letsencrypt, I did not remove the previous CA certificate, but directly put /etc/letsencrypt/live The directory is directly renamed, and then apply for a wildcard certificate. After the configuration is successful, the home CA certificate of my website is in the form of *.example.com, but when renewing, he always reports the previous CA certificate error, and the wildcard certificate cannot be renewed normally!

And what I want to ask is, is direct certbot-auto delete completely solving this problem? If certbot-auto revoke, will the two identical domain names affect security issues?


#2

Hi,

certbot-auto delete will resolve the issue that the previous certificate can’t be renewed. (Since delete that certificate will stop the certificate being renewed in this system).

However, it will not resolve the issue that wildcard certificate can’t be renewed normally. My guess is you was using --manual to issue the certificate, instead of using an DNS API. In this case, you would either use an DNS API / create manual hooks to renew the certificate correctly.

Thank you


#3

I found a problem. I applied for the certificate in dns-01. I used the domain name registrar DNS service. Later, I used Cloudflare CND to change the domain name resolution to Cloudflare DNS service, even if I put the previous TXT. Copying to Cloudflare DNS, still can’t successfully renew!

Then I revoke the existing CA certificate on this machine and re-apply for the CA certificate. Does this have any effect?

This is the error message!

[root@Falcon certbot]# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/example.com.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)


#4

Hi,

Since you are using manual plugin with dns-01 & certbot-auto, you must provide a manual hook (script) in order to renew the certificate…

However, if you could use certbot or other third party scripts, some of them (including certbot) supports cloudflare DNS endpoint.(so you could automate the renewal)

Thank you


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.