Renewal fails because DNS-lookup fails


#1

Hello!

When I do a letsencrypt-auto renew, where does this command takes the information from, what subdomains should be renewed?
If there was a subdomain chat.domain.de which does not exist anymore, renewal fails because DNS-lookup fails.

How do I remove chat.domain.de from the lookup?

Andreas


#2

start with:
letsencrypt-auto certificates

Which should show you all the certs on that system.
From that list you can take action.

But to answer your question:

There should be one or more .conf files in the /etc/letsencrypt/renewal/ folder with those details.


#3

There is a /etc/letsencrypt/renewal/domain.de.conf but chat.domain.de is not listet there. There are no subdomains listet within it.


#4

When renewing, the list of names itself comes from the existing certificate.

If you got a certificate with, for example:

letsencrypt-auto --apache -d a.example.com -d b.example.com -d c.example.com

and letsencrypt-auto certificates says the name is a.example.com, and you want to replace it with a new certificate that doesn’t include b.example.com, you would have to run:

letsencrypt-auto --cert-name a.example.com --apache -d a.example.com -d c.example.com


#5

Hi @porrier,

Just for the records, there is also an option --allow-subset-of-names that you could use to renew a cert but excluding domains that don’t validate anymore.

--allow-subset-of-names
When performing domain validation, do not consider it a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this system. This option cannot be used with --csr.

Example:

letsencrypt-auto renew --cert-name domain.de --allow-subset-of-names

Said that, my advise is to not use it :wink: Use the example @mnordhoff posted above because you will have control about what is going on and using --allow-subset-of-names could have unexpected results.

Cheers,
sahsanu


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.