@JuergenAuer
Thanks for providing this valuable input.
This means that I cannot use wildcards as of now.
I reproduced the issue (with HAproxy service running).
This is the content of /var/log/letsencrypt/letsencrypt.log:
2018-09-16 12:11:59,365:DEBUG:certbot.main:certbot version: 0.27.1
2018-09-16 12:11:59,365:DEBUG:certbot.main:Arguments: ['--force-renewal', '--http-01-port=9785', '--deploy-hook', '/bin/run-parts --e
2018-09-16 12:11:59,365:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEn
2018-09-16 12:11:59,380:DEBUG:certbot.log:Root logging level set at 20
2018-09-16 12:11:59,380:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-09-16 12:11:59,407:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f051a3e5c90> and i
2018-09-16 12:11:59,407:DEBUG:certbot.cli:Var http01_port=9785 (set by user).
2018-09-16 12:11:59,407:DEBUG:certbot.cli:Var deploy_hook=/bin/run-parts --exit-on-error /etc/letsencrypt/deploy-hook.d/ (set by user
2018-09-16 12:11:59,407:DEBUG:certbot.cli:Var renew_hook=set(['deploy_hook']) (set by user).
2018-09-16 12:11:59,407:DEBUG:certbot.cli:Var post_hook=/bin/run-parts --exit-on-error /etc/letsencrypt/post-hook.d/ (set by user).
2018-09-16 12:11:59,429:DEBUG:certbot.renewal:Auto-renewal forced with --force-renewal...
2018-09-16 12:11:59,429:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-09-16 12:11:59,528:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f051a3e5510>
Prep: True
2018-09-16 12:11:59,529:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x
2018-09-16 12:11:59,529:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-09-16 12:11:59,538:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_serv
2018-09-16 12:11:59,539:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-09-16 12:11:59,543:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-09-16 12:12:00,002:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-09-16 12:12:00,005:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 16 Sep 2018 10:11:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 16 Sep 2018 10:11:59 GMT
Connection: keep-alive
{
"WcsFzFz7dUg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-09-16 12:12:00,006:INFO:certbot.main:Renewing an existing certificate
2018-09-16 12:12:00,178:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0087_key-certbot.pem
2018-09-16 12:12:00,220:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0087_csr-certbot.pem
2018-09-16 12:12:00,245:DEBUG:acme.client:Requesting fresh nonce
2018-09-16 12:12:00,246:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-order.
2018-09-16 12:12:00,449:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
2018-09-16 12:12:00,451:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: IC1iM6wPCCz-Mqqgkp75f3Q_WLybaG_fhe9wAhtkASQ
Expires: Sun, 16 Sep 2018 10:12:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 16 Sep 2018 10:12:00 GMT
Connection: keep-alive
2018-09-16 12:12:00,451:DEBUG:acme.client:Storing nonce: IC1iM6wPCCz-Mqqgkp75f3Q_WLybaG_fhe9wAhtkASQ
2018-09-16 12:12:00,452:DEBUG:acme.client:JWS payload:
{
"status": "pending",
"identifiers": [
{
"type": "dns",
"value": "mail.biszumbitterenen.de"
}
],
"resource": "new-order"
}
2018-09-16 12:12:00,476:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJub25jZSI6ICJJQzFpTTZ3UENDei1NcXFna3A3NWYzUV9XTHliYUdfZmhlOXdBaHRrQVNRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZ
"payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsIAogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJ
"signature": "juqkIn5Mb4ER-EZdVROX6zNlBLcO-rt3A-50H0kBMFenW-NkravcW4zNuGAKHEkfkG2P52WeI69du2yXBs2QcIVW5dX9WqVaz_THFWpsFarCABaGHnwjg
}
2018-09-16 12:12:00,697:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 380
2018-09-16 12:12:00,699:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 380
Boulder-Requester: 26341752
Location: https://acme-v02.api.letsencrypt.org/acme/order/26341752/67304704
Replay-Nonce: CU_F2FvPyXcqM_sEKxdRATRbPSMgG_HAnD7VYfwjsys
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 16 Sep 2018 10:12:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 16 Sep 2018 10:12:00 GMT
Connection: keep-alive
{
"status": "ready",
"expires": "2018-09-23T10:12:00.506893844Z",
"identifiers": [
{
"type": "dns",
"value": "mail.biszumbitterenen.de"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/UnhBQWywVrpCg_8lFOPksneaqHdAII-qpDlMWVg8n-A"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/26341752/67304704"
}
2018-09-16 12:12:00,700:DEBUG:acme.client:Storing nonce: CU_F2FvPyXcqM_sEKxdRATRbPSMgG_HAnD7VYfwjsys
2018-09-16 12:12:00,702:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/UnhBQWywVrpCg_8lFOPk
2018-09-16 12:12:00,902:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/UnhBQWywVrpCg_8lFOPksn
2018-09-16 12:12:00,905:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1411
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 16 Sep 2018 10:12:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 16 Sep 2018 10:12:00 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "mail.biszumbitterenen.de"
},
"status": "valid",
"expires": "2018-10-15T10:25:04Z",
"challenges": [
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/UnhBQWywVrpCg_8lFOPksneaqHdAII-qpDlMWVg8n-A/7369160884",
"token": "V2KGLks-Oc-gFnhHO2dOdStTevQnr9w_1YkUtQm7Sws"
},
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/UnhBQWywVrpCg_8lFOPksneaqHdAII-qpDlMWVg8n-A/7369160891",
"token": "0I8iFETxAmaWPjKh04_lMOWkkjH29CrpvvFInpAHpGc"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/UnhBQWywVrpCg_8lFOPksneaqHdAII-qpDlMWVg8n-A/7369160893",
"token": "eTelrtwIq-DmPUlwbo0Wx5q82XmQAfSdrFxvcRv1I48"
},
{
"type": "tls-sni-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/UnhBQWywVrpCg_8lFOPksneaqHdAII-qpDlMWVg8n-A/7369160899",
"token": "tp8upb-MFKdC60R2A8jWehEmlgQDQ8IVTtwxoJeJ4N8",
"validationRecord": [
{
"hostname": "mail.biszumbitterenen.de",
"port": "443",
"addressesResolved": [
"94.79.184.226"
],
"addressUsed": "94.79.184.226"
}
]
}
]
}
2018-09-16 12:12:00,911:INFO:certbot.auth_handler:Performing the following challenges:
2018-09-16 12:12:00,917:INFO:certbot.auth_handler:tls-sni-01 challenge for mail.biszumbitterenen.de
2018-09-16 12:12:00,922:DEBUG:acme.standalone:Failed to bind to :443 using IPv6
2018-09-16 12:12:00,923:DEBUG:acme.standalone:Failed to bind to :443 using IPv4
2018-09-16 12:12:00,925:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 234, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 241, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 239, in _try_perform_single
return self._perform_single(achall)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 247, in _perform_single
servers, response = self._perform_tls_sni_01(achall)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 264, in _perform_tls_sni_01
servers = self.servers.run(port, challenges.TLSSNI01, listenaddr=addr)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 78, in run
raise errors.StandaloneBindError(error, port)
StandaloneBindError: Problem binding to port 443: Could not bind to IPv4 or IPv6.
2018-09-16 12:12:00,926:DEBUG:certbot.error_handler:Calling registered functions
2018-09-16 12:12:00,926:INFO:certbot.auth_handler:Cleaning up challenges
2018-09-16 12:12:00,930:WARNING:certbot.renewal:Attempting to renew cert (mail.biszumbitterenen.de) from /etc/letsencrypt/renewal/mai
2018-09-16 12:12:00,939:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1197, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 234, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 241, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 239, in _try_perform_single
return self._perform_single(achall)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 247, in _perform_single
servers, response = self._perform_tls_sni_01(achall)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 264, in _perform_tls_sni_01
servers = self.servers.run(port, challenges.TLSSNI01, listenaddr=addr)
File "/usr/lib/python2.7/site-packages/certbot/plugins/standalone.py", line 78, in run
raise errors.StandaloneBindError(error, port)
StandaloneBindError: Problem binding to port 443: Could not bind to IPv4 or IPv6.
2018-09-16 12:12:00,955:DEBUG:certbot.cli:Var http01_port=9785 (set by user).
2018-09-16 12:12:00,959:DEBUG:certbot.cli:Var deploy_hook=/bin/run-parts --exit-on-error /etc/letsencrypt/deploy-hook.d/ (set by user
2018-09-16 12:12:00,967:DEBUG:certbot.cli:Var renew_hook=set(['deploy_hook']) (set by user).
2018-09-16 12:12:00,970:DEBUG:certbot.cli:Var post_hook=/bin/run-parts --exit-on-error /etc/letsencrypt/post-hook.d/ (set by user).
2018-09-16 12:12:01,136:DEBUG:certbot.renewal:Auto-renewal forced with --force-renewal...
2018-09-16 12:12:01,143:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-09-16 12:12:01,209:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f051a3ea190>
Prep: True
2018-09-16 12:12:01,219:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x
2018-09-16 12:12:01,228:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-09-16 12:12:01,427:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_serv
2018-09-16 12:12:01,445:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-09-16 12:12:01,474:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
The content of the different /etc/letsencrypt/renewal parameters is similar (if not equal) for every subdomain:
ct102-haproxy:~# more /etc/letsencrypt/renewal/mail.biszumbitterenen.de.conf
# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/mail.biszumbitterenen.de
cert = /etc/letsencrypt/live/mail.biszumbitterenen.de/cert.pem
privkey = /etc/letsencrypt/live/mail.biszumbitterenen.de/privkey.pem
chain = /etc/letsencrypt/live/mail.biszumbitterenen.de/chain.pem
fullchain = /etc/letsencrypt/live/mail.biszumbitterenen.de/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = c8af689281a1eb5d92664dfabe350f46
http01_port = 9785
renew_hook = /bin/run-parts --exit-on-error /etc/letsencrypt/deploy-hook.d/
post_hook = /bin/run-parts --exit-on-error /etc/letsencrypt/post-hook.d/
server = https://acme-v02.api.letsencrypt.org/directory
And (finally) the content of the renew script:
ct102-haproxy:~# more /usr/local/bin/renew-le-certs.sh
#!/bin/sh
## Configuration
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
## Renew/update certificates with certbot
certbot renew \
--force-renewal \
--http-01-port=9785 \
--deploy-hook '/bin/run-parts --exit-on-error /etc/letsencrypt/deploy-hook.d/' \
--post-hook '/bin/run-parts --exit-on-error /etc/letsencrypt/post-hook.d/'