Renew is creating new directories?

For most of the certs I get from Let’s Encrypt, they get updated into their own directories (/etc/letsencrypt/live/domain & /etc/letsencrypt/archive/domain)

For one of the domains I use LE for, upon renewal, it’s generating new subdirectories - /etc/letsencrypt/live/domain-000n & /etc/letsencrypt/archive/domain-000n

Why is the renewal failing for one domain, but not others?

1 Like

Hi @wizzardude,

This means that you specified a different set of domains (probably partially but not completely overlapping) for your renewal. Thus, this is being tracked as a distinct certificate and both of them will be renewed in the future.

For example, if you had a certificate covering www.example.com, example.com, www.example.net, and example.net, and then you asked for a new certificate covering www.example.com, example.com, newsite.example.com, and example.net, this would probably result in a certificate lineage called www.example.com-0001 because it doesn’t cover www.example.net.

You can find out the coverage of each of these certificates by running certbot certificates, and then you can see how they’re different.

Edit: This can also happen if you add the --duplicate option to your command line or your cli.ini.

Except this domain (nc.antipaucity.com) has only ever been itself :expressionless:

Also - why would it be appending a new value at the end of the -000 (1, 2, 3, currently 4, etc) on running the same renewal?

You have some certificates for just nc.antipaucity.com and some for nc.antipaucity.com and office.antipaucity.com. If you request a “subset cert” (my own jargon) that covers a smaller number of names, Certbot tried to make that as a duplicate (with -0001) instead of changing the larger certificate to cover only the smaller set. My guess is that perhaps

  • you first requested nc.antipaucity.com, which created the nc.antipaucity.com certificate lineage
  • later you requested nc.antipaucity.com and office.antipaucity.com, which made Certbot offer to expand nc.antipaucity.com to cover both
  • still later, you requested only nc.antipaucity.com, which made Certbot create nc.antipaucity.com-0001 covering only that domain (without office), because this was a subset cert
  • now, you have both (nc.antipaucity.com covering nc and office, and nc.antipaucity.com-0001 covering only nc)

I have separate calls to Let’s Encrypt for both of those domains (nc.antipaucity.com and office.antipaucity.com) … never had them together … so why would LE think they should be coupled?

If you used certbot --apache or certbot --nginx, it would have defaulted to wanting to obtain a single certificate covering all of the domain names that that server was serving.

Otherwise, I’d need to see what commands you ran in order to try to explain it.

I use: letsencrypt-auto -t -n --agree-tos --keep --expand --standalone certonly --rsa-key-size 4096 -m <email> -d nc.antipaucity.com

To generate and renew all of my domains (with different -d arguments for each one, of course). I have a few certs that cover more than one domain/subdomain.

But nc. and office. are not among those

Maybe never is not the right word :slight_smile: 21st July you created a cert covering both domains https://crt.sh/?id=176293914

CRT ID     DOMAIN (CN)             VALID FROM              VALID TO                EXPIRES IN  SANs
176293914  nc.antipaucity.com      2017-Jul-21 15:06 CEST  2017-Oct-19 15:06 CEST  19 days     nc.antipaucity.com
                                                                                               office.antipaucity.com

hmmm - that’s odd :expressionless:

Maybe you still have the commands in your command history if you run history | grep certbot?

my history only goes back to about mid August … nothing showing the duplicate domain request since then

how can I split those certs back apart?

If you don’t have any references to the -0001 cert in your web server configuration, you could do

certbot delete --cert-name nc.antipaucity.com-0001

certbot certonly --force-renewal --cert-name nc.antipaucity.com -d nc.antipaucity.com # plus any authentication options that you needed before, like --standalone

certbot certonly --force-renewal --cert-name office.antipaucity.com -d office.antipaucity.com # plus any authentication options that you needed before, like --standalone

If you do have references to the -0001 cert in the web server configuration, you should change those to point at the other cert before running the delete command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.