Manuel certificate renew failed

My domain is: derwä --> (

I ran this command: certbot renew

It produced this output:

My web server is (include version): Apache/2.4.57 (Debian)

The operating system my web server runs on is (include version): Linux Debian 12

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Your webserver, when requesting redirects to https://www.derwä

While the HTTP to HTTPS redirect usually isn't an issue, the punycode to IDN translation is, as IDN is not directly supported in DNS, but needs to be translated to punycode.

Also note that your certificate doesn't include the "apex" domain name, but only the www subdomain. You might want to include both.


Thank you, could you please help me how to do this? I'm relatively new to the web hosting topic.

1 Like

Above is the punycode value for your www domain. Just use that value in your Apache Rewrite, Redirect, or .htaccess instead of www.derwä


Thank you, unfortunately, the error still persists. Is this fine now, or:

You missed a dash (-). It should be two instead of one.

It should also include the slash (/) at the end.


Oh, my fault, sorry.
The error message is shorter now, but still present:

There's no such thing as THE error message; this one is a different one.

It seems you have two certificates sort of "known" to Certbot: one which just renewed just fine and one that's broken.

Please show the output of certbot certificates.


Yes, that's true, sorry.
Okay, that's interesting.

1 Like

Please show this file:


its empty😂

Well that would be a problem.


But why do I have 2 certificates, and do I really need both of them?

Based on the output of certbot certificates, you only have one [working] certificate.

Probably not.
But we can't even see the second one.

From what can be seen, the first includes -0001 which is usually a sign of things not going to plan.


Creating the certificate was done by someone else, and I just watched. But from what I know, there was initially a problem, and we had to try it again. I believe it had something to do with the "Punycode" or the "ä". Is it possible that these are the two certificates, and the non-functional one is the one that couldn't be created?

If a cert was created, then it can be used.
If a cert can't be used, then it wasn't created.


Okay, thank you. How should I proceed now? Does the website remain certified due to the functioning certificate, and should I just leave the non-functioning certificate as is, or what should I do?

1 Like

Please explain and detail:


Your cert for that domain was renewed but your Apache is not yet using it. You probably need to reload Apache. This should work: apache2ctl graceful

You should use cron to reload Apache daily or we can adjust your certbot renewal to do it every time the cert is renewed. Let us know what you prefer.

As for your "broken" renewal file that you say is empty you could just delete that renewal conf file. You can't use the normal certbot delete command because it is broken so just delete it manually.


I meant that where the config file is empty.

I have done it.

I think I'll do it every time certbot renew. Would this command fit:

certbot renew --quiet && apache2ctl graceful