For most of the certs I get from Let’s Encrypt, they get updated into their own directories (/etc/letsencrypt/live/domain & /etc/letsencrypt/archive/domain)
For one of the domains I use LE for, upon renewal, it’s generating new subdirectories - /etc/letsencrypt/live/domain-000n & /etc/letsencrypt/archive/domain-000n
Why is the renewal failing for one domain, but not others?
Hi @wizzardude,
This means that you specified a different set of domains (probably partially but not completely overlapping) for your renewal. Thus, this is being tracked as a distinct certificate and both of them will be renewed in the future.
For example, if you had a certificate covering www.example.com, example.com, www.example.net, and example.net, and then you asked for a new certificate covering www.example.com, example.com, newsite.example.com, and example.net, this would probably result in a certificate lineage called www.example.com-0001 because it doesn’t cover www.example.net.
You can find out the coverage of each of these certificates by running certbot certificates, and then you can see how they’re different.
Edit: This can also happen if you add the --duplicate option to your command line or your cli.ini.
Except this domain (nc.antipaucity.com) has only ever been itself 
Also - why would it be appending a new value at the end of the -000 (1, 2, 3, currently 4, etc) on running the same renewal?
You have some certificates for just nc.antipaucity.com and some for nc.antipaucity.com and office.antipaucity.com. If you request a “subset cert” (my own jargon) that covers a smaller number of names, Certbot tried to make that as a duplicate (with -0001) instead of changing the larger certificate to cover only the smaller set. My guess is that perhaps
nc.antipaucity.com certificate lineagenc.antipaucity.com to cover bothnc.antipaucity.com-0001 covering only that domain (without office), because this was a subset certnc.antipaucity.com covering nc and office, and nc.antipaucity.com-0001 covering only nc)I have separate calls to Let’s Encrypt for both of those domains (nc.antipaucity.com and office.antipaucity.com) … never had them together … so why would LE think they should be coupled?
If you used certbot --apache or certbot --nginx, it would have defaulted to wanting to obtain a single certificate covering all of the domain names that that server was serving.
Otherwise, I’d need to see what commands you ran in order to try to explain it.
I use: letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m <email> -d nc.antipaucity.com
To generate and renew all of my domains (with different -d arguments for each one, of course). I have a few certs that cover more than one domain/subdomain.
But nc. and office. are not among those
Maybe never is not the right word 
21st July you created a cert covering both domains crt.sh | 176293914
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
176293914 nc.antipaucity.com 2017-Jul-21 15:06 CEST 2017-Oct-19 15:06 CEST 19 days nc.antipaucity.com
office.antipaucity.com
hmmm - that’s odd
Maybe you still have the commands in your command history if you run history | grep certbot?
my history only goes back to about mid August … nothing showing the duplicate domain request since then
how can I split those certs back apart?
If you don’t have any references to the -0001 cert in your web server configuration, you could do
certbot delete --cert-name nc.antipaucity.com-0001
certbot certonly --force-renewal --cert-name nc.antipaucity.com -d nc.antipaucity.com # plus any authentication options that you needed before, like --standalone
certbot certonly --force-renewal --cert-name office.antipaucity.com -d office.antipaucity.com # plus any authentication options that you needed before, like --standalone
If you do have references to the -0001 cert in the web server configuration, you should change those to point at the other cert before running the delete command.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.