When I first set up my web account (Moodle site for my wife on Digital Ocean) I was groping in the dark. Instead of using CNAME, I used two A records – ‘sample’.net and www.‘sample’.net. Somehow I received certificates for both. I can’t remember exactly why, but the A record for www.sample.net cause an issue and I deleted it and replaced it with CNAME.
Recently I got a notice to renew my certificate(s). I tried the instructions, kept getting an error thrown back at me – finally realized it was not finding www.‘sample’.net’s A record. I went ahead and temporarily changed the CNAME to A, but then – when I tried to renew – “I got a too man tries” error.
Finally I read some of the certbot documentation and saw that I could run “certbot certificates” on my server. It was then that I realized that one certificate actually did renew – the second one I created, “‘sample’.net-001.” This certificate was only for “sample.net” – and that’s all I need (I think).
The other (my original) certification, “‘sample’.net,” is a certificate for both “sample”.net and “www.‘sample’.net.” And it’s that certificate that will expire at the end of the month. The other one (the second I created) appears to have renewed and is good for another 69 days.
The questions: If I ignore the certificate that’s throwing the errors, will it go away on its own? Or would it be better to delete it? And … Will I be able to run “certbot renew” next time I need it, or is it permanently disabled because of too many tries?
It will never go away. "certbot renew" will always try to renew it (until it succeeds).
You can use e.g. "certbot delete --cert-name sample.net" to delete a certificate lineage (using the name listed in "certbot certificates".)
You can always run "certbot renew". If it tries to renew two certificates, and one fails, that doesn't stop the other one from succeeding. A persistently failing certificate is gross but won't break renewal for your other certificate(s).
In any case, CNAME records aren't a problem, as long as they're correct.
If you give more information about what's happening, we may be able to help fix it, if you want.
By the way, you can use "certbot renew --dry-run" to test renewing all of your certificates against the staging environment. (It won't overwrite your files.) It has much higher rate limits.
Thanks, mnordhoff and schoen for the help and explanations. I’ve deleted the “problem” certificate and everything looks good. I don’t think I’ve got this in the crontab yet, however, so I guess I’d better figure out how to get that done. It looks straight forward, but I’m sure I can manage to mess it up.