Renewal not working on www

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
certbot renew
It produced this output:
Cert not yet due for renewal
No renewals were attempted
My web server is (include version):
apache/2.4.48 (Debian)
The operating system my web server runs on is (include version):
Debian GN/Linux 11 (bullseye) dockered on Ubuntu 21.10
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a site ( that had a certificate about to run out so I ran certbot renew which seemed to run fine. Now the certificate for the version has expired. works. Running certbot renew now just gives me Cert not yet due for renewal.

Any help would be greatly appreciated

It seems you've removed the www subdomain from your certificate on August 7th this year, if you look at your certificate history: |

Solution: re-add the www subdomain to your certificate.


Thx for the help.

I really have no idea how I did that it certainly wasn't on purpose. I probably spent 20-30 hours to create the first certificate trying different things. I guess you are saying I'm back to square one and have to create the certificate again ?

1 Like

Usually, that would be the most straightforward solution indeed, as certbot does not have an easy method of adding/removing hostnames from an existing certificate. However, that requires knowledge of the original command used to get the certificate in the first place. Sometimes people don't know that command any longer.

It might also be possible to use the renew command in combination with adding new hostnames, but I'm not entirely sure. E.g. something like:

certbot renew --cert-name -d -d

First, do a dry-run to make sure everything is working properly:

certbot renew --cert-name -d -d --dry-run

If that works, you can change --dry-run for --force-renewal and run the following command just once (because --force-renewal should only be used a single time if it succeeds!). --force-renewal is unfortunately required as otherwise certbot would claim the certificate is not yet due for renewal.. We know, certbot, we know! We just want to change it!

So the final command would be (just once):

certbot renew --cert-name -d -d --force-renewal

@e1qj9mftxy If you still need help could you show the contents of this file:


From that we may be able to derive your original command if the examples @Osiris showed for renew did not work for you.



I tried the command above with --dry-run and the output was:
"Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future." So I didn't try without --dry-run
The content of the config file is:

renew_before_expiry = 30 days

version = 1.12.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

account = fde92e32b66344a8925ead7dcd6b9327
authenticator = apache
installer = apache
server =

1 Like

Ok, we may get lucky, try

certbot --apache -d -d

It should ask if you want to "expand" cert, confirm that


You could add --cert-name to be absolutely sure.


I got challenge failed for domain
DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this domain

I tried adding --cert-name also I have checked that I have an A record but I read somewhere that you also need a CNAME record which I didn't have so I created one

Now I got a message saying:
You are updating certificate to include new domain(s):

You are also removing previously included domain(s):

Did you intend to make this change?

(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for and
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

1 Like

OK, you just need to wait an hour. Lets Encrypt will reject when you try too many times and fail. Ideally you use --dry-run or --test-cert but that can be awkward with --apache sometimes so best to wait.

As to CNAME, it is fine to have CNAME for the pointing to the apex name. But, it also would have worked to make an A record for - instead of a CNAME. Perhaps back in August you did have an A record for it but it got removed. Either way, CNAME or A, it should work in an hour.


It seems to work now - thx everyone!


Yeah, looks great |


[don't mind me - I'm just here to point out the obvious - LOL]

There is no planned long term support for U21 - just saying.

Also, you should check what certs are still managed, with:
certbot certificates
and delete any that are no longer needed, with:
certbot delete --cert-name {name of cert}


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.