For most of the certs I get from Let’s Encrypt, they get updated into their own directories (/etc/letsencrypt/live/domain & /etc/letsencrypt/archive/domain)
For one of the domains I use LE for, upon renewal, it’s generating new subdirectories - /etc/letsencrypt/live/domain-000n & /etc/letsencrypt/archive/domain-000n
Why is the renewal failing for one domain, but not others?
This means that you specified a different set of domains (probably partially but not completely overlapping) for your renewal. Thus, this is being tracked as a distinct certificate and both of them will be renewed in the future.
For example, if you had a certificate covering www.example.com, example.com, www.example.net, and example.net, and then you asked for a new certificate covering www.example.com, example.com, newsite.example.com, and example.net, this would probably result in a certificate lineage called www.example.com-0001 because it doesn’t cover www.example.net.
You can find out the coverage of each of these certificates by running
certbot certificates, and then you can see how they’re different.
Edit: This can also happen if you add the
--duplicate option to your command line or your
Except this domain (nc.antipaucity.com) has only ever been itself
Also - why would it be appending a new value at the end of the -000 (1, 2, 3, currently 4, etc) on running the same renewal?
You have some certificates for just nc.antipaucity.com and some for nc.antipaucity.com and office.antipaucity.com. If you request a “subset cert” (my own jargon) that covers a smaller number of names, Certbot tried to make that as a duplicate (with -0001) instead of changing the larger certificate to cover only the smaller set. My guess is that perhaps
- you first requested nc.antipaucity.com, which created the
nc.antipaucity.com certificate lineage
- later you requested nc.antipaucity.com and office.antipaucity.com, which made Certbot offer to expand
nc.antipaucity.com to cover both
- still later, you requested only nc.antipaucity.com, which made Certbot create
nc.antipaucity.com-0001 covering only that domain (without office), because this was a subset cert
- now, you have both (
nc.antipaucity.com covering nc and office, and
nc.antipaucity.com-0001 covering only nc)
I have separate calls to Let’s Encrypt for both of those domains (nc.antipaucity.com and office.antipaucity.com) … never had them together … so why would LE think they should be coupled?
If you used
certbot --apache or
certbot --nginx, it would have defaulted to wanting to obtain a single certificate covering all of the domain names that that server was serving.
Otherwise, I’d need to see what commands you ran in order to try to explain it.
letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m <email> -d nc.antipaucity.com
To generate and renew all of my domains (with different
-d arguments for each one, of course). I have a few certs that cover more than one domain/subdomain.
But nc. and office. are not among those
Maybe never is not the right word 21st July you created a cert covering both domains https://crt.sh/?id=176293914
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
176293914 nc.antipaucity.com 2017-Jul-21 15:06 CEST 2017-Oct-19 15:06 CEST 19 days nc.antipaucity.com
Maybe you still have the commands in your command history if you run
history | grep certbot?
my history only goes back to about mid August … nothing showing the duplicate domain request since then
how can I split those certs back apart?
If you don’t have any references to the
-0001 cert in your web server configuration, you could do
certbot delete --cert-name nc.antipaucity.com-0001
certbot certonly --force-renewal --cert-name nc.antipaucity.com -d nc.antipaucity.com # plus any authentication options that you needed before, like --standalone
certbot certonly --force-renewal --cert-name office.antipaucity.com -d office.antipaucity.com # plus any authentication options that you needed before, like --standalone
If you do have references to the
-0001 cert in the web server configuration, you should change those to point at the other cert before running the
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.