Let's Encrypt Newbie with renew failure

My domain is:
maps.camavision.com

I ran this command:
sudo certbot-auto renew

It produced this output:
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/maps.camavision.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/camavision.com/fullchain.pem expires on 2020-12-09 (skipped)
/etc/letsencrypt/live/map2.camavision.com/fullchain.pem expires on 2020-12-07 (skipped)
/etc/letsencrypt/live/map3.camavision.com/fullchain.pem expires on 2021-01-06 (skipped)
/etc/letsencrypt/live/payroll.camavision.com/fullchain.pem expires on 2020-12-16 (skipped)
/etc/letsencrypt/live/testmaps.camavision.com/fullchain.pem expires on 2020-12-09 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/maps.camavision.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Apache/2.4.41 (Unix) OpenSSL/1.1.1d mod_fcgid/2.3.9

The operating system my web server runs on is (include version):
Slackware 14.2+

My hosting provider, if applicable, is:
None.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.7.0

Question: This cert was renewed in the past, however, the IP address may have changed since then. I have little network experience, however I have access to the server. This cert expires in 29 days. I would appreciate your help.

2 Likes

There appear to be 2 different servers involved here.

Server 1 (199.188.65.182) hosts these domains:

Server 2 (72.50.244.62) hosts these domains:

Now, it appears that you are running this Certbot renewal on Server 1.

If you wanted to issue or renew a certificate for maps.camavision.com, you would have to do so on Server 2.

What good is a certificate if it's on the wrong server?

3 Likes

Definitely a great idea to make sure that the domain name points at the server you want it to, and that you try to get your certificate where it will be used. :slight_smile:

If you need to reissue an old certificate with Certbot to remove domains that are no longer hosted on your server, be careful because the model of how to do this has ended up confusing many people. (In particular, you need to specify --cert-name to modify coverage for an existing certificate, and you need to specify all of the names that should be included in the new certificate with -d.)

If you need to delete an old certificate, Certbot also has a command for that—certbot delete—but again you should be careful that your web server application isn't still configured to use the certificate that you're planning to delete. If you delete a certificate that's still referred to be a web server configuration, your configuration may become invalid.

If you're unsure or confused about how to make the changes that you decide you need to make, please feel free to double-check here on the forum before making a change you're not confident about!

2 Likes

Dear _az:

How were you able to come up with the IP addresses? I would like to verify this information myself in the future.

Dear schoen:

Thank you very kindly for your response.

I believe I need to move the cert for maps.camavision.com to server2 (e.g. 72.50.244.62) Would you recommend the following command on the server1? Should I issue this command first or after the new certificate is created?

sudo certbot-auto delete --cert-name maps.camavision.com

Then, would I also need to issue the following on server2 to create the new certificate on server2?

sudo certbot-auto certonly --webroot -w /pub/maps/html/ -d maps.camavision.com

Thanks again for your reply.

Those both look good.

I would say after the new certificate is created, although the certificates don't conflict or interfere with each other.

The most important thing in deleting the certificate on the original server is to first make sure that it's not referenced in your web server configuration.

Note that the certonly command will not install the certificate in your web server configuration on the second server, so if you use this method, you'll also need to edit the configuration for that server to refer to the certificate after it's obtained.

Let me be the one to say that we don't see many newbies with your level of preparation. Way to go. :slightly_smiling_face: I'd give you some likes if I weren't out of them right now.

So have this instead: :star2:

A coaster with a liability attached?

Also remember to reload/restart your webserver after you acquire a new certificate! You can use --deploy-hook "some code or a script here" to automate this.


I don't have much else to add here. Standing between Alex (_az) and Seth (schoen) sorta makes me feel like a hill in a mountain valley, but I do have one small thing to recommend.

You might consider adding --keep-until-expiring to keep from accidentally issuing unneeded certificates.