Renew is creating new directories?

For most of the certs I get from Let’s Encrypt, they get updated into their own directories (/etc/letsencrypt/live/domain & /etc/letsencrypt/archive/domain)

For one of the domains I use LE for, upon renewal, it’s generating new subdirectories - /etc/letsencrypt/live/domain-000n & /etc/letsencrypt/archive/domain-000n

Why is the renewal failing for one domain, but not others?

1 Like

Hi @wizzardude,

This means that you specified a different set of domains (probably partially but not completely overlapping) for your renewal. Thus, this is being tracked as a distinct certificate and both of them will be renewed in the future.

For example, if you had a certificate covering,,, and, and then you asked for a new certificate covering,,, and, this would probably result in a certificate lineage called because it doesn’t cover

You can find out the coverage of each of these certificates by running certbot certificates, and then you can see how they’re different.

Edit: This can also happen if you add the --duplicate option to your command line or your cli.ini.

Except this domain ( has only ever been itself :expressionless:

Also - why would it be appending a new value at the end of the -000 (1, 2, 3, currently 4, etc) on running the same renewal?

You have some certificates for just and some for and If you request a “subset cert” (my own jargon) that covers a smaller number of names, Certbot tried to make that as a duplicate (with -0001) instead of changing the larger certificate to cover only the smaller set. My guess is that perhaps

  • you first requested, which created the certificate lineage
  • later you requested and, which made Certbot offer to expand to cover both
  • still later, you requested only, which made Certbot create covering only that domain (without office), because this was a subset cert
  • now, you have both ( covering nc and office, and covering only nc)

I have separate calls to Let’s Encrypt for both of those domains ( and … never had them together … so why would LE think they should be coupled?

If you used certbot --apache or certbot --nginx, it would have defaulted to wanting to obtain a single certificate covering all of the domain names that that server was serving.

Otherwise, I’d need to see what commands you ran in order to try to explain it.

I use: letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m <email> -d

To generate and renew all of my domains (with different -d arguments for each one, of course). I have a few certs that cover more than one domain/subdomain.

But nc. and office. are not among those

Maybe never is not the right word :slight_smile: 21st July you created a cert covering both domains

CRT ID     DOMAIN (CN)             VALID FROM              VALID TO                EXPIRES IN  SANs
176293914      2017-Jul-21 15:06 CEST  2017-Oct-19 15:06 CEST  19 days

hmmm - that’s odd :expressionless:

Maybe you still have the commands in your command history if you run history | grep certbot?

my history only goes back to about mid August … nothing showing the duplicate domain request since then

how can I split those certs back apart?

If you don’t have any references to the -0001 cert in your web server configuration, you could do

certbot delete --cert-name

certbot certonly --force-renewal --cert-name -d # plus any authentication options that you needed before, like --standalone

certbot certonly --force-renewal --cert-name -d # plus any authentication options that you needed before, like --standalone

If you do have references to the -0001 cert in the web server configuration, you should change those to point at the other cert before running the delete command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.