In the past i was able to renew and use without problem the wildcard certificate, but since some time ago, when i try to use it always appears as not valid.
This is the output from the console.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sakurastur.es-0001.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.sakurastur.es
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sakurastur.es-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/sakurastur.es-0001/privkey.pem
This certificate expires on 2024-07-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
If you like Certbot, please consider supporting our work by:
Please stop forcing new issuances for no good reason. If a previous successfully issued certificate gives you some kind of trouble, then issuing a NEW certificate is not going to help (because it's going to be practically identical...). (Unless you played with the --preferred-chain option perhaps, but I do not see that in your command.)
Also, the fact you have -0001 in the certificates name suggests there's something not entirely correct with your Certbot and the certificates it knows. Can you perhaps show the output of certbot certificates to check?
Also, I don't think there's any issue with your site and/or the certificate and/or the chain. If I check the cert and chain it all checks out and also SSL Checker thinks everything is just fine. I believe sslchecker.com is just being completely bogus..
the certificate being renewed only includes the wildcard [extension].
It does NOT include the base name: sakurastur.es, so you won't be able to use that cert to cover that [base] name.
There is another cert that already contains that base name [and the "www"] - you could use that cert for that use:
But if there is only one single vhost to cover a different set of names [say: secure.sakurastur.es & sakurastur.es], they would require the use of both certs - which won't be possible in a single vhost.
So...
What is/are the name(s) that you are trying to reach that return "not valid"?
You don't need to wait for the existing certificates to expire in order to do that. The base name is a separate name and (for possibly mysterious browser design reasons from the 1990s?) needs to be listed separately in the certificate, as it's never considered to be covered by the wildcard. The wildcard is only considered to match subdomains, and not the base domain.
(Note the extra -d option listing the base domain.)
There are some DNS-01 plugins (and DNS service providers) that get confused about the need to create two different DNS text records with the same name but different contents in order to satisfy the certificate authority challenge for this (as both TXT records will be called _acme-challenge.sakurastur.es but they will have different values). However, I think the --dns-cloudflare method is able to handle this case properly and probably shouldn't give you trouble related to it.
In your previous output of certbot certificates you had two certs for sakurastur.es: one with a few subdomains and one wildcard.
Please make sure you only have a single certificate for sakurastur.es and *.sakurastur.es in use. It's wasteful to keep renewing the other certificate if it's not in use any longer.
(NB: don't delete certificates if you aren't sure if they're still in use: first make sure the cert isn't in use any more [e.g. by reconfiguring all services to use the other cert] and only if no services make use of the cert any longer, you can remove it.)
