Renewal fails after change of domain name

My sites work fine, but the certificates are expiring soon and auto-renewal and manual renewal both fail. Auto-renewal worked fine before I changed the domain name. I assume that the domain name change is the source of the renewal problem, but I don't know that for sure. I haven't changed anything else on the server, however.

My domain is:

Old domain: physanth.org
New domain: bioanth.org

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/anthro.vancouver.wsu.edu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for bioanth.org and 6 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: app.physanth.org
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:8ee3: Invalid response from http://bioanth.org/.well-known/acme-challenge/wBty2MXgKNwdIPIs_Y29yCC_wf09A43to5Fkjny5QkQ: 404

  Domain: meeting.physanth.org
  Type:   unauthorized
  Detail: 2606:4700:3036::6815:2ede: Invalid response from http://bioanth.org/.well-known/acme-challenge/WkR_YN4d6tbv7rOIMuTq4rzqf-vY8aZASw5UvIaSypk: 404

  Domain: physanth.org
  Type:   unauthorized
  Detail: 2606:4700:3036::6815:2ede: Invalid response from http://bioanth.org/.well-known/acme-challenge/T1kIrO42KkzQVQcuvXxqLJ8e-Jv4iPTyTmnNTpgdi0Q: 404

  Domain: www.physanth.org
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:8ee3: Invalid response from http://bioanth.org/.well-known/acme-challenge/vlDTlbVUSW9D2N9GN3EM_Oy4IQQ4EfKskneMjXw2ZIU: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate anthro.vancouver.wsu.edu with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bioanth.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for bioanth.org and 6 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: physanth.org
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:8ee3: Invalid response from http://bioanth.org/.well-known/acme-challenge/cweI6ZHT-t8PEBr2aCyB3iUA4g4ZcVDxzOV5MjptTG4: 404

  Domain: www.physanth.org
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:8ee3: Invalid response from http://bioanth.org/.well-known/acme-challenge/wuV2wBXcPa4Gf8inkigN27xxsCCjsl7a1SD47-LbvYM: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate bioanth.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/anthro.vancouver.wsu.edu/fullchain.pem (failure)
  /etc/letsencrypt/live/bioanth.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.3

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.30.0

More info:

edhagen@anthro:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: anthro.vancouver.wsu.edu
    Serial Number: 36287396805393341b518808afb7d13c8a6
    Key Type: RSA
    Domains: bioanth.org anthro.vancouver.wsu.edu app.physanth.org meeting.physanth.org physanth.org www.bioanth.org www.physanth.org
    Expiry Date: 2022-09-30 19:47:18+00:00 (VALID: 7 days)
    Certificate Path: /etc/letsencrypt/live/anthro.vancouver.wsu.edu/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/anthro.vancouver.wsu.edu/privkey.pem
  Certificate Name: bioanth.org
    Serial Number: 42d69775010cbee51b7fe69cf796382a0c4
    Key Type: RSA
    Domains: bioanth.org anthro.vancouver.wsu.edu app.bioanth.org meeting.bioanth.org physanth.org www.bioanth.org www.physanth.org
    Expiry Date: 2022-09-30 20:06:21+00:00 (VALID: 7 days)
    Certificate Path: /etc/letsencrypt/live/bioanth.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bioanth.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
edhagen@anthro:~$ ls -l /etc/nginx/sites-enabled/
total 0
lrwxrwxrwx 1 root root 33 Feb  2  2019 anthro -> /etc/nginx/sites-available/anthro
lrwxrwxrwx 1 root root 30 Nov 10  2020 app -> /etc/nginx/sites-available/app
lrwxrwxrwx 1 root root 34 Jul  2 12:46 bioanth -> /etc/nginx/sites-available/bioanth
lrwxrwxrwx 1 root root 34 Nov  9  2020 meeting -> /etc/nginx/sites-available/meeting
edhagen@anthro:~$ ls -l /etc/nginx/sites-available/
total 24
-rw-r--r-- 1 root root 1418 Jul  2 14:06 anthro
-rw-r--r-- 1 root root  674 Jul  2 14:06 app
-rw-r--r-- 1 root root 1806 Jul  2 14:06 bioanth
-rw-r--r-- 1 root root 2416 Apr  5  2018 default
-rw-r--r-- 1 root root 1072 Jul  2 14:06 meeting
-rw-r--r-- 1 root root 1813 Jul  2 14:06 physanth

By the way, I'm an anthropology professor, not a server admin, so my admin skills are limited. Many thanks for any help you can provide.

1 Like

Hi @grasshoppermouse,

If I understand the output that you pasted above, it looks like you have existing certificates which cover several different domain names, including your old domain name physanth.org as well as your new domain name bioanth.org.

The problem you're encountering has to do with the fact that the Let's Encrypt certificate authority requires you to prove continued control over every name listed on a certificate in order to receive a new certificate with those same names (which we refer to as a renewal certificate).

One option, if you're not going to use physanth.org at all anymore, is to tell Certbot to replace your existing certificate with a new one covering a different (smaller) set of names, like

certbot certonly --cert-name anthro.vancouver.wsu.edu -d bioanth.org -d anthro.vancouver.wsu.edu -d www.bioanth.org -d www.physanth.org

and

certbot certonly --cert-name bioanth.org -d bioanth.org -d anthro.vancouver.wsu.edu -d app.bioanth.org -d meeting.bioanth.org -d www.bioanth.org

These should succeed because they are no longer listing physanth.org names on the newly-requested certificate. The old certificates will then be replaced by newer ones with fewer names on them.

One thing to understand about this is that you can change the coverage of any existing certificate this way, but you should always use -d options to list every name that's meant to be included in the new certificate. It always wants a complete list.

Once the certificate coverage is correct, certbot renew should work as usual to obtain replacement certificates with no changes in name coverage.

Alternatively, we could look into why the physanth.org proof-of-control process is now failing (which might have to do with any DNS or configuration changes that you may have made since the last time the certificate was obtained).

6 Likes

I won't be using physanth.org anymore, so I think this is exactly what I need. I have a couple more questions before I go ahead and run those commands.

I was surprised to see that I have two certificates that include many of the same names. I suspect I must have accidentally created a second one. Is there any reason I need two certificates? If not, should I delete one? How would I do that?

Regarding proof-of-control of physanth.org, DNS for anthro.vancouver.wsu.edu is provided by our university's DNS, but DNS for physanth.org and bioanth.org are provided by cloudflare, and I have cloudflare redirecting physanth.org to bioanth.org. I guess this redirect is causing the problem? But since we no longer need physanth.org, I think removing it from the certificates is the best solution.

Many thanks for your help -- I greatly appreciate it.

1 Like

This depends on the nginx configuration. In theory you only need 1 certificate, but nginx could be using 2. Certbot has a delete command that would let you delete the redundant certificate.

Should you delete it? If you feel confident in auditing the nginx configuration files to see which certificates are used, and possibly editing them to only use one certificate, sure. If you don't feel confident in that, I wouldn't bother touching it.

The cloudflare redirect is probably the problem. It looks like LetsEncrypt is following the redirect from {whatever}.physanth.org/{challenge-path} to bioanth.org/{challenge-path}, but Certbot hasn't configured nginx to serve that.

Removing the physanth domains from the certificates should fix that.

If it doesn't... and you're down to a day, an emergency stopgap is:

  • temporarily disable cloudflare and stop nginx
  • run certbot renew in standalone mode. this will spin up an internal webserver to use for the certificates.
  • re-enable cloudflare and start nginx.

That should allow all the certs to renew and the nginx restart will pick them up. This is an emergency backup plan though. I'm just noting it in case someone else can't help you in time.

(Edited to correctly state “standalone”, not “manual” mode. Thanks @schoen )

5 Likes

Thanks to both of you, I got it working again.

3 Likes

@jvanasco, did you mean "standalone mode" rather than "manual mode" here?

4 Likes

Yes! I’ll edit!

2 Likes