Renewal not working on www

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
binomialsoftware.com
I ran this command:
certbot renew
It produced this output:
Cert not yet due for renewal
No renewals were attempted
My web server is (include version):
apache/2.4.48 (Debian)
The operating system my web server runs on is (include version):
Debian GN/Linux 11 (bullseye) dockered on Ubuntu 21.10
My hosting provider, if applicable, is:
n/a
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.12.0

I have a site (binomialsoftware.com) that had a certificate about to run out so I ran certbot renew which seemed to run fine. Now the certificate for the www.binomialsoftware.com version has expired. binomialsoftware.com works. Running certbot renew now just gives me Cert not yet due for renewal.

Any help would be greatly appreciated

It seems you've removed the www subdomain from your certificate on August 7th this year, if you look at your certificate history: crt.sh | binomialsoftware.com

Solution: re-add the www subdomain to your certificate.

2 Likes

Thx for the help.

I really have no idea how I did that it certainly wasn't on purpose. I probably spent 20-30 hours to create the first certificate trying different things. I guess you are saying I'm back to square one and have to create the certificate again ?

1 Like

Usually, that would be the most straightforward solution indeed, as certbot does not have an easy method of adding/removing hostnames from an existing certificate. However, that requires knowledge of the original command used to get the certificate in the first place. Sometimes people don't know that command any longer.

It might also be possible to use the renew command in combination with adding new hostnames, but I'm not entirely sure. E.g. something like:

certbot renew --cert-name binomialsoftware.com -d binomialsoftware.com -d www.binomialsoftware.com

First, do a dry-run to make sure everything is working properly:

certbot renew --cert-name binomialsoftware.com -d binomialsoftware.com -d www.binomialsoftware.com --dry-run

If that works, you can change --dry-run for --force-renewal and run the following command just once (because --force-renewal should only be used a single time if it succeeds!). --force-renewal is unfortunately required as otherwise certbot would claim the certificate is not yet due for renewal.. We know, certbot, we know! We just want to change it!

So the final command would be (just once):

certbot renew --cert-name binomialsoftware.com -d binomialsoftware.com -d www.binomialsoftware.com --force-renewal
3 Likes

@e1qj9mftxy If you still need help could you show the contents of this file:

/etc/letsencrypt/renewal/binomialsoftware.com.conf

From that we may be able to derive your original command if the examples @Osiris showed for renew did not work for you.

3 Likes

Thx

I tried the command above with --dry-run and the output was:
"Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future." So I didn't try without --dry-run
.
The content of the config file is:

renew_before_expiry = 30 days

version = 1.12.0
archive_dir = /etc/letsencrypt/archive/binomialsoftware.com
cert = /etc/letsencrypt/live/binomialsoftware.com/cert.pem
privkey = /etc/letsencrypt/live/binomialsoftware.com/privkey.pem
chain = /etc/letsencrypt/live/binomialsoftware.com/chain.pem
fullchain = /etc/letsencrypt/live/binomialsoftware.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = fde92e32b66344a8925ead7dcd6b9327
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

1 Like

Ok, we may get lucky, try

certbot --apache -d binomialsoftware.com -d www.binomialsoftware.com

It should ask if you want to "expand" cert, confirm that

2 Likes

You could add --cert-name binomialsoftware.com to be absolutely sure.

2 Likes

I got challenge failed for domain www.binomialsoftware.com
DNS problem: NXDOMAIN looking up A for www.binomialsofware.com - check that a DNS record exists for this domain

I tried adding --cert-name also I have checked that I have an A record but I read somewhere that you also need a CNAME record which I didn't have so I created one

Now I got a message saying:
You are updating certificate binomialsoftware.com to include new domain(s):

You are also removing previously included domain(s):
(None)

Did you intend to make this change?


(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for binomialsoftware.com and www.binomialsofware.com
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

1 Like

OK, you just need to wait an hour. Lets Encrypt will reject when you try too many times and fail. Ideally you use --dry-run or --test-cert but that can be awkward with --apache sometimes so best to wait.

As to CNAME, it is fine to have CNAME for the www.binomialsoftware.com pointing to the apex name. But, it also would have worked to make an A record for www.binomialsoftware.com - instead of a CNAME. Perhaps back in August you did have an A record for it but it got removed. Either way, CNAME or A, it should work in an hour.

3 Likes

It seems to work now - thx everyone!

2 Likes

Yeah, looks great crt.sh | binomialsoftware.com

2 Likes

[don't mind me - I'm just here to point out the obvious - LOL]

There is no planned long term support for U21 - just saying.

Also, you should check what certs are still managed, with:
certbot certificates
and delete any that are no longer needed, with:
certbot delete --cert-name {name of cert}

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.