Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: backoffice.cyna.org, members.cyna.org
I ran this command:certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/backoffice.cyna.org.conf
Renewing an existing certificate for backoffice.cyna.org and members.cyna.org
Failed to renew certificate backoffice.cyna.org with error: list index out of range
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/backoffice.cyna.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Nginx
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):4.0
1 Like
Welcome @sarahk238
That is an unusual problem especially since you were previously renewing just fine.
I see you got a cert after you posted but it only includes one of those domain names. Have you discovered the problem and still working on it? Or would you like help?
The "list index out of range" is probably related to something in your nginx config. Did something change since your last good renewal in Feb?
Would you post the output of the below command
sudo nginx -T
An upper case T is essential. Or, upload the config.txt resulting from this:
sudo nginx -T >config.txt
You probably have multiple Certbot renewal configs now so please show this too
sudo certbot certificates
3 Likes
No nothing has changed.
It used to cover both subdomains with one cert but it seems that doesn't work now.
I got it to work by doing certonly and using option 2 - it created a new folder for the certs. I did the same for each subdomain and it seems fine now.
I didn't change anything in the nginx setup and have no idea why it didn't work this time but at leaset I found a solution. Thanks for taking the time to consider the issue.
1 Like
Please provide the entire log file. With the current very short summary it's not easy to diagnose the problem.
Also, please provide the contents of /etc/letsencrypt/renewal/backoffice.cyna.org.conf.
1 Like
Do you still have the Certbot cert config with both your domain names in it? If so, you should delete that since you are no longer using it. It will continue to run and fail which is wasteful (and may be confusing).
Show
sudo certbot certificates
And use this if you still have one you don't use
sudo certbot delete --cert-name X
Where X is the certificate name from the certificates list.
4 Likes
The config never had both subdomains, that's the weird thing. I was looking for this but then remembered that when I set this up, there was instructions that both would be covered by doing the one and that worked until now.
That's possibly where the error came from - it was trying to find configs for both subdomains but found only one?
I've deleted the original and now have separate configs for each subdomain.
Well, the certificate previously did starting last Aug. And renewed consistently every 60 days until "missing" in early April. Something in your system likely changed after Feb3.
Had you provided the info we'd asked for earlier we may have been able to pinpoint what that was. But, you have a working system so not sure that's time well spent now. Just fyi, it is extremely common to have multiple domains in one cert and to cross multiple server blocks. So, something more unique about your system would have been different to cause this problem.
I prefer each server block to have its own certificate anyway. It makes certain management tasks easier. I am guessing these two subdomains are in their own server blocks so that would have been my suggestion anyway.
2 Likes
