Remove a domain from chain

rbottoni · March 28, 2018, 10:56am

1531/5000
I’m using the command: certbot renew --dry-run
to test the renewal of certificates …

the main domain www.mydomain.it has some aliases: www.mydomain.com and www.mydomain.eu

this time it fails because a domain (www.mydomain.eu) is not active (expired domain) and it is no longer used …
so I get this error:

Processing /etc/letsencrypt/renewal/www.mydomain.it.conf

Attempting to parse the version 0.21.1 renewal configuration file found at /etc/letsencrypt/renewal/www.mydomain.it.conf with version 0.19.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.mydomain.it
http-01 challenge for www.mydomain.com

Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.mydomain.it) from /etc/letsencrypt/renewal/www.mydomain.it.conf produced an unexpected error: Failed authorization procedure. www.mydomain.eu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.mydomain.eu. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.mydomain.it/fullchain.pem (failure)

How can I solve this?

_az · March 28, 2018, 11:03am

You can issue a new certificate for www.mydomain.eu on its own (using the usual invocation of Certbot as you did initially).

Once that succeeds, make sure your server is using the new certificate, and then you can find the name of the certificate that has the expired alias on it:

certbot certificates

and delete it by name:

certbot delete --cert-name <name>

rbottoni · March 28, 2018, 11:49am

i have issued the certificates with the command :

./certbot-auto --authenticator webroot --webroot-path /var/www/vhosts/www.mydomain.it/ROOT --installer apache -d www.mydomain.it -d www.mydomain.com -d www.mydomain.eu

and currently, the domain www.mydomain.eu is really expired… so i have a doubt that the new certificate for www.mydomain.eu will be not issued… is it correct?

_az · March 28, 2018, 12:01pm

You can just run that same command but remove -d www.mydomain.eu, so you only get the domains you want.

It might ask you whether you want to issue a new certificate or use the existing one, in which case you choose to issue a new certificate.

system · April 27, 2018, 12:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.