Server IP change and certificate won't renew

I changed my server's IP address and ran into some issues with certificate renewal (auto-renewals have stopped). What do I need to update to make sure the certificates for the new IP address / server are renewed?

My domain is:
https://medigapp.app

I ran this command:
certbot renew

It produced this output:
http-01 challenge for www.medigapp.app
Cleaning up challenges
Attempting to renew cert (medigapp.app) from /etc/letsencrypt/renewal/medigapp.app.conf produced an unexpected error: Some challenges have failed.. Skipping.
...
Domain: www.medigapp.app
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.medigapp.app -
check that a DNS record exists for this domain

My web server is (include version):
Nginx 1.18

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
Digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.40.0

1 Like

Welcome to the Let's Encrypt Community, Cornel :slightly_smiling_face:

The IP address A/AAAA record of a domain name has no connection with a certificate covering the domain name itself (unless the IP address is covered by the certificate, which Let's Encrypt does not do since they only issue DV certificates).

That error is usually due to insufficient time having elapsed to fully propagate the DNS record. Are you sure that you created an A/AAAA or CNAME record for www.medigapp.app? I see an A record for medigapp.app.

https://toolbox.googleapps.com/apps/dig/#A/

1 Like

Thanks! But my certificates have been working for months without issues, so why would that be the case? Also, I point my DNS at digital ocean nameservers that then in turn point to my Servers, so why would this be the case if certificates were not an issue for a long time? I got a mail that they will expire, but in the past they auto-renewed. What can I do to fix this and renew them?

2 Likes

They're not autorenewing because you're using an http-01 challenge for which Let's Encrypt cannot verify domain name control of www.medigapp.app due to not being able reach the webserver for lack of an A/AAAA or CNAME record.

1 Like

My crystal ball (which doesn't always work) says that when you changed providers/IPs, you didn't set up a www.medigapp.app DNS record at all with the new provider. So you only have a medigapp.app name defined.

So, there are two choices:

  1. If you (and/or your users) don't use that www. name (which if nobody's noticed for months may be the case), then create a new certificate without that name and use it instead, or
  2. Add a DNS record for the www. name, probably pointing to the same server.
4 Likes

You are right! I added a www. DNS name, and now waiting to see if it will work. At the moment I'm still getting net::ERR_CERT_DATE_INVALID when trying to reach my endpoint

2 Likes

That's either because you don't have a new certificate yet:

https://crt.sh/?q=medigapp.app

or you need to reload your webserver:

sudo nginx -s reload

If it's the latter problem, you need to add the nginx installer plugin to your certbot configuration:

-i nginx

2 Likes

I think @cvza is/was waiting for the brand new www subdomain to be added/propogated through the DNS and he didn't try again yet.

3 Likes

@Osiris

I concur. I think this issue will resolve itself at this point.

2 Likes

Yup. From my point of view the www subdomain is working perfectly, so @cvza should try again to renew the certificate at this point :slight_smile:

3 Likes

Hi there! So I tried this, but now I get the following: net::ERR_CERT_COMMON_NAME_INVALID.

1 Like

You need to renew your certificate first:

sudo certbot renew

Certbot should reload nginx automatically.

Edit:

See the new command I posted below.

1 Like

Oh... your certificate doesn't cover all the names

1 Like

@cvza Please stop what you're currently doing.. You're getting the wrong certificates too many times! See: crt.sh | medigapp.app

Now you got TWO certificates with JUST the www subdomain and a single certificate with just the apex domain? Where do those different certs come from? You haven't issued any of them like this in the past, so I'm pretty sure this wasn't due to a simple certbot renew command?

2 Likes

sudo certbot --nginx -d "medigapp.app, www.medigapp.app, fastpulse.medigapp.app, wellnessodyssey.medigapp.app"

2 Likes

You will want to delete the unnecessary certificates to avoid them autorenewing.

Run sudo certbot certificates to view your existing certificates, noting the CERT_NAMES of unneeded certificates.

Then:

sudo certbot delete --cert-name CERT_NAME

to cleanly delete the unneeded certificates.

If any of your webserver configuration files point to these old certificates, you'll need to update their directives to point to the new certificate. A good starting place is:

sudo nginx -T

Once you've made your changes, you'll need to reload nginx:

sudo nginx -s reload

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.