For most of the certs I get from Let’s Encrypt, they get updated into their own directories (/etc/letsencrypt/live/domain & /etc/letsencrypt/archive/domain)
For one of the domains I use LE for, upon renewal, it’s generating new subdirectories - /etc/letsencrypt/live/domain-000n & /etc/letsencrypt/archive/domain-000n
Why is the renewal failing for one domain, but not others?
Hi @wizzardude,
This means that you specified a different set of domains (probably partially but not completely overlapping) for your renewal. Thus, this is being tracked as a distinct certificate and both of them will be renewed in the future.
For example, if you had a certificate covering www.example.com, example.com, www.example.net, and example.net, and then you asked for a new certificate covering www.example.com, example.com, newsite.example.com, and example.net, this would probably result in a certificate lineage called www.example.com-0001 because it doesn’t cover www.example.net.
You can find out the coverage of each of these certificates by running certbot certificates, and then you can see how they’re different.
Edit: This can also happen if you add the --duplicate option to your command line or your cli.ini.
Except this domain (nc.antipaucity.com) has only ever been itself 
Also - why would it be appending a new value at the end of the -000 (1, 2, 3, currently 4, etc) on running the same renewal?
You have some certificates for just nc.antipaucity.com and some for nc.antipaucity.com and office.antipaucity.com. If you request a “subset cert” (my own jargon) that covers a smaller number of names, Certbot tried to make that as a duplicate (with -0001) instead of changing the larger certificate to cover only the smaller set. My guess is that perhaps
nc.antipaucity.com certificate lineagenc.antipaucity.com to cover bothnc.antipaucity.com-0001 covering only that domain (without office), because this was a subset certnc.antipaucity.com covering nc and office, and nc.antipaucity.com-0001 covering only nc)I have separate calls to Let’s Encrypt for both of those domains (nc.antipaucity.com and office.antipaucity.com) … never had them together … so why would LE think they should be coupled?
If you used certbot --apache or certbot --nginx, it would have defaulted to wanting to obtain a single certificate covering all of the domain names that that server was serving.
Otherwise, I’d need to see what commands you ran in order to try to explain it.
I use: letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m <email> -d nc.antipaucity.com
To generate and renew all of my domains (with different -d arguments for each one, of course). I have a few certs that cover more than one domain/subdomain.
But nc. and office. are not among those
Maybe never is not the right word 
21st July you created a cert covering both domains crt.sh | 176293914
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
176293914 nc.antipaucity.com 2017-Jul-21 15:06 CEST 2017-Oct-19 15:06 CEST 19 days nc.antipaucity.com
office.antipaucity.com
hmmm - that’s odd
Maybe you still have the commands in your command history if you run history | grep certbot?
my history only goes back to about mid August … nothing showing the duplicate domain request since then
how can I split those certs back apart?
If you don’t have any references to the -0001 cert in your web server configuration, you could do
certbot delete --cert-name nc.antipaucity.com-0001
certbot certonly --force-renewal --cert-name nc.antipaucity.com -d nc.antipaucity.com # plus any authentication options that you needed before, like --standalone
certbot certonly --force-renewal --cert-name office.antipaucity.com -d office.antipaucity.com # plus any authentication options that you needed before, like --standalone
If you do have references to the -0001 cert in the web server configuration, you should change those to point at the other cert before running the delete command.