Renew :: Domain name contains an invalid character

Hey,

This is a very strange behavior, I have a cron on a aws machine to renew the certification and I'm running the following command:

43 6 * * * root certbot renew --renew-hook "systemctl reload nginx"

When the cron run to renew the certification I'm getting an error:

 The server will not issue certificates for the identifier :: Error finalizing order :: Cannot issue for "ws.houseberry.io:8000": Domain name contains an invalid character

Some extra information

2021-02-26 21:51:50,705:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/finalize/92404437/8142128442 HTTP/1.1" 400 205
2021-02-26 21:51:50,706:DEBUG:acme.client:Received response:
HTTP 400
Content-Length: 205
Cache-Control: public, max-age=0, no-cache
Server: nginx
Connection: keep-alive
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Boulder-Requester: 92404437
Date: Fri, 26 Feb 2021 21:51:50 GMT
Content-Type: application/problem+json
Replay-Nonce: 0103SVdfHEI8sx3JIYSoIk5aljaptxsaoaGhaewdWHn3VYY

{
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error finalizing order :: Cannot issue for \"ws.houseberry.io:8000\": Domain name contains an invalid character",
  "status": 400
}

Although I run manually the renew it works fine. I don't know where the por 8000 was set... I don't have that port set on nginx.
Any idea what might be happening here?

Could you please post the entire output of the letsencrypt.log file?

Also, maybe, the output of sudo certbot certificates ?

Here is the content of letsencrypt.log

2021-02-26 21:51:48,893:DEBUG:certbot._internal.main:certbot version: 1.6.0
2021-02-26 21:51:48,894:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-d', 'ws.houseberry.io:8000']
2021-02-26 21:51:48,894:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-02-26 21:51:48,908:DEBUG:certbot._internal.log:Root logging level set at 20
2021-02-26 21:51:48,909:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-02-26 21:51:48,909:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2021-02-26 21:51:49,059:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fd302e63f10>
Prep: True
2021-02-26 21:51:49,060:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fd302e63f10> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fd302e63f10>
2021-02-26 21:51:49,061:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2021-02-26 21:51:49,065:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/92404437', new_authzr_uri=None, terms_of_service=None), 04ce92040fb8f9a842564b9c49926419, Meta(creation_host=u'ip-172-31-40-161.eu-west-1.compute.internal', register_to_eff=None, creation_dt=datetime.datetime(2020, 7, 27, 8, 21, 8, tzinfo=<UTC>)))>
2021-02-26 21:51:49,066:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-02-26 21:51:49,069:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-02-26 21:51:49,569:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-02-26 21:51:49,569:DEBUG:acme.client:Received response:
HTTP 200
Content-Length: 658
Strict-Transport-Security: max-age=604800
Server: nginx
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Date: Fri, 26 Feb 2021 21:51:49 GMT
X-Frame-Options: DENY
Content-Type: application/json

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "mumB3pmfenc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-02-26 21:51:49,571:INFO:certbot._internal.main:Obtaining a new certificate
2021-02-26 21:51:50,023:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
2021-02-26 21:51:50,025:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem
2021-02-26 21:51:50,026:DEBUG:acme.client:Requesting fresh nonce
2021-02-26 21:51:50,026:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-02-26 21:51:50,149:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-02-26 21:51:50,150:DEBUG:acme.client:Received response:
HTTP 200
Strict-Transport-Security: max-age=604800
Server: nginx
Connection: keep-alive
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Cache-Control: public, max-age=0, no-cache
Date: Fri, 26 Feb 2021 21:51:50 GMT
X-Frame-Options: DENY
Replay-Nonce: 01030fqQofabZwjCiPWQwIDyT8WyvtM2_5Z91W50dFKL20E


2021-02-26 21:51:50,150:DEBUG:acme.client:Storing nonce: 01030fqQofabZwjCiPWQwIDyT8WyvtM2_5Z91W50dFKL20E
2021-02-26 21:51:50,151:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "ws.houseberry.io"
    }
  ]
}
2021-02-26 21:51:50,152:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICIwMTAzMGZxUW9mYWJad2pDaVBXUXdJRHlUOFd5dnRNMl81WjkxVzUwZEZLTDIwRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzkyNDA0NDM3IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJ3cy5ob3VzZWJlcnJ5LmlvIgogICAgfQogIF0KfQ", 
  "signature": "dPlqnkiAiHeR3y05xx3JhN674Fyy-2w2OVfNy4_wdUy7AGNpotK4yQQ3xT20J2K1xs6tydMR43S39GUjcoNt94osFrp6gXm42SLa4B5Ka1a0SCmo4zhwVCfPaocK95084VH0ZdFLlWU44MBEbvOzYC-TzmT3R3W-Lxg-T_PMLk2Ii_0T5gQyaqRqFfmm6Q17jPlphmXo4MJaG0f3CaP_5QI3zW9OP2hD8g0Zr9Z-s7R6oSn5AdpoSKhpu16YXNb18pgjGfjgVsyO0WHfiI0lyDAwlMfQwmnt2QUFiIHKHlHtDH92qiASw18RfIUkC-XKSFyJuIMI_eQhrxGimYLDIg"
}
2021-02-26 21:51:50,377:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 335
2021-02-26 21:51:50,378:DEBUG:acme.client:Received response:
HTTP 201
Content-Length: 335
Strict-Transport-Security: max-age=604800
Cache-Control: public, max-age=0, no-cache
Server: nginx
Connection: keep-alive
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/92404437/8142128442
Boulder-Requester: 92404437
Date: Fri, 26 Feb 2021 21:51:50 GMT
X-Frame-Options: DENY
Content-Type: application/json
Replay-Nonce: 0103mAT2pBdYwWXHO_aXFf6ZC2phoYTf-0xaiVgRnzLZ2LA

{
  "status": "ready",
  "expires": "2021-03-05T21:51:50Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "ws.houseberry.io"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11169506609"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/92404437/8142128442"
}
2021-02-26 21:51:50,378:DEBUG:acme.client:Storing nonce: 0103mAT2pBdYwWXHO_aXFf6ZC2phoYTf-0xaiVgRnzLZ2LA
2021-02-26 21:51:50,378:DEBUG:acme.client:JWS payload:

2021-02-26 21:51:50,380:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/11169506609:
{
  "protected": "eyJub25jZSI6ICIwMTAzbUFUMnBCZFl3V1hIT19hWEZmNlpDMnBob1lUZi0weGFpVmdSbnpMWjJMQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTExNjk1MDY2MDkiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTI0MDQ0MzciLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "", 
  "signature": "b3MNdoXg47dwK2yEFsDHRqlY6xU0DAO3JSmgiRcUmqbV1tawARGnoMnevTJ978OtPdcFQ3M3Ug8VF4fa0GLiHpHciVPHIRaH_AIOrfycT0Q2p1pjIkl8CmzsNpz_n0MQitJDH2TTgRvVPGhaFT3hwNWE874ExwNjTuBCRSsmxmFTU7k0WHY2e3X0n0unEYeStkn14Vhf66BulwGGkyJDYlwEJHM4raye3FyPwaSVJNe0hJ0qK3PoDMuePA4CB6mTX9Q9hlDsLswnjmRBE4eZ1G5AH0vx_39jnO74j0_Qwa8WmMYwhz-RZ_jicIKO8f4YT4kiFTS33odCrYEND3AXXQ"
}
2021-02-26 21:51:50,533:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11169506609 HTTP/1.1" 200 721
2021-02-26 21:51:50,534:DEBUG:acme.client:Received response:
HTTP 200
Content-Length: 721
Strict-Transport-Security: max-age=604800
Cache-Control: public, max-age=0, no-cache
Server: nginx
Connection: keep-alive
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Boulder-Requester: 92404437
Date: Fri, 26 Feb 2021 21:51:50 GMT
X-Frame-Options: DENY
Content-Type: application/json
Replay-Nonce: 010495NA4rO0SddV6OaFjt2cxaj8Sbv-ij3ZwuAFoUN8UDI

{
  "identifier": {
    "type": "dns",
    "value": "ws.houseberry.io"
  },
  "status": "valid",
  "expires": "2021-03-28T21:48:44Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11169506609/CyNAjg",
      "token": "XBJQd9t92Ngtvh4v27fSQCAJXfzUNBbSSEa74TmGgmg",
      "validationRecord": [
        {
          "url": "http://ws.houseberry.io/.well-known/acme-challenge/XBJQd9t92Ngtvh4v27fSQCAJXfzUNBbSSEa74TmGgmg",
          "hostname": "ws.houseberry.io",
          "port": "80",
          "addressesResolved": [
            "34.240.102.153"
          ],
          "addressUsed": "34.240.102.153"
        }
      ]
    }
  ]
}
2021-02-26 21:51:50,534:DEBUG:acme.client:Storing nonce: 010495NA4rO0SddV6OaFjt2cxaj8Sbv-ij3ZwuAFoUN8UDI
2021-02-26 21:51:50,535:DEBUG:certbot._internal.client:CSR: CSR(file='/etc/letsencrypt/csr/0009_csr-certbot.pem', data='-----BEGIN CERTIFICATE REQUEST-----\nMIICeDCCAWACAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOsu\nuKXOhye2t5xpaIVxpt6JJkowQEBcuALm1Va9gElOunZu86gs6G+sB1uWesI318xZ\n6ou0iukQdH9B5KU4LnJBsnI9jHX6av+4LJRKC4n+8BVuLjh4aNNntI/cgD+Haf+N\n7IARTuvvOH1Jxtzsg9A3DV2V4tlKN82u8FiDWJDhjO+6kdjZRvLS/jedjvqTlu6w\nZ5as75VX3rmgJjNetXdAYlxssAmiD8ggyPcgPJ4h1wiSp0is6B5SwHQ4C8ZvDSp+\nhTOlLv8q0Kl4mCPniNCU6BRTJwGFohKkX0VcVkNyHjJ+Ti/Y1g/hFSCYjEEC2uBk\nBw698leSrexZB4Yvc18CAwEAAaAzMDEGCSqGSIb3DQEJDjEkMCIwIAYDVR0RBBkw\nF4IVd3MuaG91c2ViZXJyeS5pbzo4MDAwMA0GCSqGSIb3DQEBCwUAA4IBAQAqdQXY\nLOlg4CDzhMTIN5x1heOathFmdO9vUAYKHpQ0eWh+KPtftMeyfkKrQiN3yV9ZE2dg\nEgv2veJeInkgi3AElD4fcB+p4+aX59jTQvVV9FrTH2sAKtbl7+xCIy0Fo53UVlAE\nrIhfHxCOjxbTv2hIAYHe5znL8zdllKrOWpJf6TFXb/e+Daj9G0RoWxXraoMXbX+r\nOx7Z9gdQ9dOMYn5GAYAaN9uSK+lY9wECb5bQdwMYQMqdmToe6OQ+ghkpdJvQxvXq\nQiyCUlY+cH9k7mbtAh1ap+YNFTy3Vde2YvDhr6OLmdE3UEhfqKiFnCrfFPUCFzVb\npEumSUrAgLY9ITW1\n-----END CERTIFICATE REQUEST-----\n', form='pem')
2021-02-26 21:51:50,535:DEBUG:acme.client:JWS payload:
{
  "csr": "MIICeDCCAWACAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOsuuKXOhye2t5xpaIVxpt6JJkowQEBcuALm1Va9gElOunZu86gs6G-sB1uWesI318xZ6ou0iukQdH9B5KU4LnJBsnI9jHX6av-4LJRKC4n-8BVuLjh4aNNntI_cgD-Haf-N7IARTuvvOH1Jxtzsg9A3DV2V4tlKN82u8FiDWJDhjO-6kdjZRvLS_jedjvqTlu6wZ5as75VX3rmgJjNetXdAYlxssAmiD8ggyPcgPJ4h1wiSp0is6B5SwHQ4C8ZvDSp-hTOlLv8q0Kl4mCPniNCU6BRTJwGFohKkX0VcVkNyHjJ-Ti_Y1g_hFSCYjEEC2uBkBw698leSrexZB4Yvc18CAwEAAaAzMDEGCSqGSIb3DQEJDjEkMCIwIAYDVR0RBBkwF4IVd3MuaG91c2ViZXJyeS5pbzo4MDAwMA0GCSqGSIb3DQEBCwUAA4IBAQAqdQXYLOlg4CDzhMTIN5x1heOathFmdO9vUAYKHpQ0eWh-KPtftMeyfkKrQiN3yV9ZE2dgEgv2veJeInkgi3AElD4fcB-p4-aX59jTQvVV9FrTH2sAKtbl7-xCIy0Fo53UVlAErIhfHxCOjxbTv2hIAYHe5znL8zdllKrOWpJf6TFXb_e-Daj9G0RoWxXraoMXbX-rOx7Z9gdQ9dOMYn5GAYAaN9uSK-lY9wECb5bQdwMYQMqdmToe6OQ-ghkpdJvQxvXqQiyCUlY-cH9k7mbtAh1ap-YNFTy3Vde2YvDhr6OLmdE3UEhfqKiFnCrfFPUCFzVbpEumSUrAgLY9ITW1"
}
2021-02-26 21:51:50,537:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/92404437/8142128442:
{
  "protected": "eyJub25jZSI6ICIwMTA0OTVOQTRyTzBTZGRWNk9hRmp0MmN4YWo4U2J2LWlqM1p3dUFGb1VOOFVESSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvZmluYWxpemUvOTI0MDQ0MzcvODE0MjEyODQ0MiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MjQwNDQzNyIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "ewogICJjc3IiOiAiTUlJQ2VEQ0NBV0FDQVFJd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9zdXVLWE9oeWUydDV4cGFJVnhwdDZKSmtvd1FFQmN1QUxtMVZhOWdFbE91blp1ODZnczZHLXNCMXVXZXNJMzE4eFo2b3UwaXVrUWRIOUI1S1U0TG5KQnNuSTlqSFg2YXYtNExKUktDNG4tOEJWdUxqaDRhTk5udElfY2dELUhhZi1ON0lBUlR1dnZPSDFKeHR6c2c5QTNEVjJWNHRsS044MnU4RmlEV0pEaGpPLTZrZGpaUnZMU19qZWRqdnFUbHU2d1o1YXM3NVZYM3JtZ0pqTmV0WGRBWWx4c3NBbWlEOGdneVBjZ1BKNGgxd2lTcDBpczZCNVN3SFE0QzhadkRTcC1oVE9sTHY4cTBLbDRtQ1BuaU5DVTZCUlRKd0dGb2hLa1gwVmNWa055SGpKLVRpX1kxZ19oRlNDWWpFRUMydUJrQnc2OThsZVNyZXhaQjRZdmMxOENBd0VBQWFBek1ERUdDU3FHU0liM0RRRUpEakVrTUNJd0lBWURWUjBSQkJrd0Y0SVZkM011YUc5MWMyVmlaWEp5ZVM1cGJ6bzRNREF3TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBcWRRWFlMT2xnNENEemhNVElONXgxaGVPYXRoRm1kTzl2VUFZS0hwUTBlV2gtS1B0ZnRNZXlma0tyUWlOM3lWOVpFMmRnRWd2MnZlSmVJbmtnaTNBRWxENGZjQi1wNC1hWDU5alRRdlZWOUZyVEgyc0FLdGJsNy14Q0l5MEZvNTNVVmxBRXJJaGZIeENPanhiVHYyaElBWUhlNXpuTDh6ZGxsS3JPV3BKZjZURlhiX2UtRGFqOUcwUm9XeFhyYW9NWGJYLXJPeDdaOWdkUTlkT01ZbjVHQVlBYU45dVNLLWxZOXdFQ2I1YlFkd01ZUU1xZG1Ub2U2T1EtZ2hrcGRKdlF4dlhxUWl5Q1VsWS1jSDlrN21idEFoMWFwLVlORlR5M1ZkZTJZdkRocjZPTG1kRTNVRWhmcUtpRm5DcmZGUFVDRnpWYnBFdW1TVXJBZ0xZOUlUVzEiCn0", 
  "signature": "nGeB8d4sor1XQgk7CGcNCVuJvcvi8fYQjhRbQDoRYP58VofGD5PvZdFdx1yQeL8XYptV1CWF5BH6dDjiwdJxwA7Z_a7t2PsjfzmAb-trTr8rLe1uT8XUUhrwj9zGMBQb5dUyLgnbszEmd9-6KB-Fex6ybI7OPY4CsqOhllgwlSrvkIEyM0L3ESkoGjTIj8IhUge7nrsbPFZGlJ1jC2th6NK390lswSikG638DdUll_gzPNMXhpmOnxV7hRlk-PYAhsAq2dsinEf-gFSPOsWpj6pW91o-_QF7tjxXpN7ivi8rS2X096r8fScM4tvxhCFFmQ5-LFHHSH5jnFYcr7y0Lw"
}
2021-02-26 21:51:50,705:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/finalize/92404437/8142128442 HTTP/1.1" 400 205
2021-02-26 21:51:50,706:DEBUG:acme.client:Received response:
HTTP 400
Content-Length: 205
Cache-Control: public, max-age=0, no-cache
Server: nginx
Connection: keep-alive
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Boulder-Requester: 92404437
Date: Fri, 26 Feb 2021 21:51:50 GMT
Content-Type: application/problem+json
Replay-Nonce: 0103SVdfHEI8sx3JIYSoIk5aljaptxsaoaGhaewdWHn3VYY

{
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error finalizing order :: Cannot issue for \"ws.houseberry.io:8000\": Domain name contains an invalid character",
  "status": 400
}
2021-02-26 21:51:50,706:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.6.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1353, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1102, in run
    certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 418, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 367, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 293, in obtain_certificate_from_csr
    fetch_alternative_chains=get_alt_chains)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 925, in finalize_order
    return self.client.finalize_order(orderr, deadline, fetch_alternative_chains)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 752, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 97, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1201, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1214, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1072, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier :: Error finalizing order :: Cannot issue for "ws.houseberry.io:8000": Domain name contains an invalid character
2021-02-26 21:51:50,711:ERROR:certbot._internal.log:An unexpected error occurred:
2021-02-26 21:51:50,711:ERROR:certbot._internal.log:The server will not issue certificates for the identifier :: Error finalizing order :: Cannot issue for "ws.houseberry.io:8000": Domain name contains an invalid character

And the output of certificates

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ws.houseberry.io
    Serial Number: 3faa157f4971afea20292917658121eefdd
    Domains: ws.houseberry.io
    Expiry Date: 2021-08-30 11:33:19+00:00 (VALID: 34 days)
    Certificate Path: /etc/letsencrypt/live/ws.houseberry.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ws.houseberry.io/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This suggests certbot was ran with the command options certbot --nginx -d ws.houseberry.io:8000 and not with certbot renew --renew-hook (...)?

(It seems the log does not report the subcommand, such as renew as argument).

The invalid character is obviously the colon ( : ). For posterity, a port number can't be included.

The renewal configuration file might contain the port number if it was manually modified.

Looking through the responses from Boulder, it seems odd that there is only mention of ws.houseberry.io right up until ws.houseberry.io:8000 appears in the CSR.

Sounds weird because I'm running the following on my crontab

43 6 * * * root certbot renew --renew-hook "systemctl reload nginx"

I'm almost certain that the problem lies here then:

/etc/letsencrypt/renewal/ws.houseberry.io.conf

@griffin The -d options aren't stored in the renewal configuration file, so that's highly unlikely. However, it can't hurt to take a look at it.

That said: the log posted above is from February 2021. Unless the servers clock is off MONTHS, the log is very old and we probably need to see a more recent log.. I.e.: the log from the renewal command

I was assuming that those were internal arguments based on the configuration file. Possibly the wrong assumption, but it's all that I've got if @hugoalexmartins is only running certbot renew.

Update:

That would explain a lot.

The renewal configuration files come into play later on in the certbot process I believe. The arguments listed in that log entry are really the options on the command line. Without the subcommand it seems tho. Also, as said, the -d options don't come from the renewal file: at renewal, the hostnames are extracted from the current certificate and that can't contain the colon and port number. So it has to come from somewhere else, i.e.: a -d option on the command line.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.