Hi guy's hope everyone are doing fine, i have successfully installed my certificates with your kind help 2 years ago but the auto renewal failed 2 days ago. The only change i have made recently was to cancel one of my 3 domains ''escapingthematrix.online'' so i suspect this might be my issue. Now i only have 2 domains left as for ''sortirdelamatrice.online'' and ''naos-soultrap.online''
So do i just have to delete the nginx server block in sites-availables directory for ''escapingthematrix.online'' and after issuing the command: sudo certbot renew --nginx?
Here my dry run result ;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sortirdelamatrice.online.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sortirdelamatrice.online
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/sortirdelamatrice.online/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
/etc/letsencrypt/live/escapingthematrix.online/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/naos-soultrap.online-0001/fullchain.pem (success)
/etc/letsencrypt/live/naos-soultrap.online/fullchain.pem (success)
/etc/letsencrypt/live/sortirdelamatrice.online/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/escapingthematrix.online/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: escapingthematrix.online
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
escapingthematrix.online - check that a DNS record exists for this
domain; DNS problem: NXDOMAIN looking up AAAA for
escapingthematrix.online - check that a DNS record exists for this
domain
Domain: www.escapingthematrix.online
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
www.escapingthematrix.online - check that a DNS record exists for
this domain; DNS problem: NXDOMAIN looking up AAAA for
www.escapingthematrix.online - check that a DNS record exists for
this domain
Well, you have actually 4 domain names you want certs for. The above 2 and their www subdomains.
It is important to remove the nginx server blocks for the obsolete domain. But, the needed Certbot command is different than that. The Certbot renew just acts on the cert profiles from your existing certs. A different command is needed to reset the old profile.
And, from the public cert history I can tell you have several different cert profiles.
We should update the cert profile you currently use and delete the other ones you don't use. Including one that was issued today.
So, let's start by you showing us the output of this
I forgot to mention that i have tried and succeed doing a force renew command on both ''sortirdelamatrice.online'' and ''naos-soultrap.online'' but both website are still unsecured as you can see here ; https://www.sortirdelamatrice.online/
Do i have to remove both certificates before issuing a new one?
No, that isn't the right command for your situation.
Your nginx server is using the cert profile with the name escapingthematrix.online
So, try this test and report what happens. Do not proceed beyond this yet please. Yes, I realize this profile name is for the domain you no longer use. That is not important at this stage.
It was successful again Mike but is there a propagation time period since the websites are still unsecured?
EDIT; my mistake i forgot to reload nginx now it's working fine.
pierre@sortirdelamatrice:~$ sudo certbot certonly --nginx --cert-name escapingthematrix.online -d sortirdelamatrice.online -d www.sortirdelamatrice.online -d naos-soultrap.online -d www.naos-soultrap.online
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate escapingthematrix.online to include new domain(s):
(None)
You are also removing previously included domain(s):
- escapingthematrix.online
- www.escapingthematrix.online
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/escapingthematrix.online/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/escapingthematrix.online/privkey.pem
Your cert will expire on 2024-12-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Excellent. I confirm I see the new cert with 4 domains used by your nginx. Now, to finish up. Let's delete the unused cert profiles. Certbot will try to renew each of them until we delete them. You don't need these certs since those names are covered in your other cert.
If that is the server block for that obsolete domain then yes. Usually people have a symlink in /sites-enabled to the /sites-available folder. If you have that you should remove that first.
Then try sudo nginx -t to test your nginx conf.
Let's Encrypt is the Certificate Authority (CA). It is what manages and issues the certs. It is run by the ISRG. Who also operate this forum
Certbot is developed by the EFF. At one time it was done by ISRG too but the EFF have handled it for a long time.
Donations are not required but I am sure both organizations appreciate them. Pick your favorite or even split your intended amount to each.