Removing invalid domains

jhutchins · July 29, 2020, 9:21pm

Debian 9
Certbot 0.28.0

When I set up certbot/letsencrypt, I was hosting two domains that are no longer in use. The registration for two of the aliases of the domain therune.com, therune.net and therune.org have expired and there is no DNS entry for them. This appears to cause the automatic renewal to fail. The primary CN for the certificate, eponasgrove.com, is no longer enabled, Apache redirects to the default site, marilynjevans.com. (This in turn redirects to marilynjevans.com/blog/

The errors I get when I attempt to renew are all complaints about the lack of a DNS entry for therune.net and an invalid response from therune.org (because the site is disabled)…

What’s the best way to recover from this? I’m already hitting rate limiting for some of these hosts. The certificate expires on August 7.

_az · July 29, 2020, 9:33pm

You can re-define the names that are included on a certificate.

First, check what certificate you already have:

sudo certbot certificates

Then using the listed certificate name (replace THE_CERT_NAME), you can change the certificate to only include the domains you want:

sudo certbot certonly --apache --dry-run --cert-name THE_CERT_NAME \
-d eponasgrove.com -d eponasgrove.org -d marilynjevans.com \
-d tarcanfel.net -d tarcanfel.org -d therune.com \
-d therune.net -d therune.org -d www.eponasgrove.com \
-d www.eponasgrove.org -d www.marilynjevans.com \
-d www.tarcanfel.net -d www.tarcanfel.org \
-d www.therune.com -d www.therune.net -d www.therune.org

Remove any you don’t need anymore, and give it a shot. Once it’s working, remove certonly and --dry-run and do it for real.

jhutchins · July 29, 2020, 10:02pm

“–dry-run currently only works with the ‘certonly’ or ‘renew’
subcommands (‘run’)”

I’ve tried -d , it fails on DNS. If I put an entry in my hosts
file, it fails when it attempts to validate the site. I’m reluctant to
test random guessed commands because I’ve hit rate limiting, which
blocks me for seven days eight days before the cert expires.

_az · July 29, 2020, 10:03pm

The rate limiting from failed validations is 5 attempts per hour. It does not lock you out for a week.

If you use --dry-run, the limit increases to 60 attempts per hour.

Sorry, I updated the command now.

9peppe · July 30, 2020, 7:11am

I don't know about best, but the easy way looks like this:

--allow-subset-of-names
      When performing domain validation, do not consider it
      a failure if authorizations can not be obtained for a
      strict subset of the requested domains. This may be
      useful for allowing renewals for multiple domains to
      succeed even if some domains no longer point at this
      system. This option cannot be used with --csr.
      (default: False)

(there can be several reasons why "authorizations can not be obtained" other than your issue, though)

https://certbot.eff.org/docs/using.html#certbot-command-line-options

system · August 29, 2020, 7:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove a domain that's no longer on my server for SSL renewal? Help	5	15249	September 8, 2019
Certbot unable to renew: Invalid response Help	26	1249	April 21, 2023
Unable to renew certificate (was working previously) Help	23	780	February 26, 2024
Cant renew certificate - DNS Check issue Help	8	636	December 16, 2020
Remove a domain from chain Help	4	18977	April 27, 2018

Removing invalid domains

Related topics