[Solved] Renewal is rate limited, but certificate expired in August

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
plex.jcconnell.com

I ran this command:
letsencrypt certonly --webroot -w /var/www/ssl-proof/plex/ -d plex.jcconnell.com

It produced this output:
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for plex.jcconnell.com
Using the webroot path /var/www/ssl-proof/plex for all unmatched domains.
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: plex.jcconnell.com
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
N/A. Runs in my homelab.

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

This host’s only function is to reverse proxy services on my LAN. I have 7 other sub-domains whose certificates are fine, but I’ve had trouble with the Plex sub-domain for a few months now. I noticed some time ago and decided to leave it alone, figuring that it would correct itself. But it hasn’t. Any ideas?

Take a look at https://crt.sh/?q=plex.jcconnell.com. You generated one cert for that host yesterday, two on Sunday, and two on Saturday. That’s why you’re rate-limited; you won’t be able to generate another cert until about 0400Z next Saturday. The question is, where did those certs go? Current versions of certbot have some management tools, but if you’re still using letsencrypt as the command, you probably don’t have them available (and should probably upgrade).

Do you see more than one directory in /etc/letsencrypt/live with your hostname in it?

Wow, that’s way more frequent than I thought I configured it to be. I set a cron job to run monthly.

Both the certbot and letsencrypt commands work on my system. I recall following some older instructions on certbot.eff.org, but it appears that the new certbot is a Python package now: https://certbot.eff.org/#ubuntuxenial-nginx. Should I uninstall what I have currently and install the new Python package?

There are several directories with *.jcconnell.com domains in /etc/letencrypt/live but only one with the plex.jcconnell.com domain.

That's probably a problem. You say you've set a cron job for letsencrypt, but is there also one for certbot? Because running certbot renew twice a day is exactly what the docs recommend, and your cert got "renewed" (or re-issued) twice a day until it hit the rate limits. There's clearly some disconnect between where letsencrypt/certbot is looking for your existing cert, and where it's putting the new one.

What's the output of certbot certificates?

There is only a cron entry for lets encrypt

Here is the output of: certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/plex.jcconnell.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/couchpotato.jcconnell.com/cert.pem is unknown

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: proxmox.jcconnell.com
    Domains: proxmox.jcconnell.com
    Expiry Date: 2018-01-22 19:28:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/proxmox.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/proxmox.jcconnell.com/privkey.pem
  Certificate Name: plex.jcconnell.com
    Domains: plex.jcconnell.com
    Expiry Date: 2017-08-12 20:45:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem
  Certificate Name: cloud.jcconnell.com
    Domains: cloud.jcconnell.com
    Expiry Date: 2017-11-24 00:19:00+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/cloud.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.jcconnell.com/privkey.pem
  Certificate Name: guacamole.jcconnell.com
    Domains: guacamole.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/guacamole.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/guacamole.jcconnell.com/privkey.pem
  Certificate Name: hass.jcconnell.com
    Domains: hass.jcconnell.com
    Expiry Date: 2018-01-12 15:38:12+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/hass.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hass.jcconnell.com/privkey.pem
  Certificate Name: zoneminder.jcconnell.com
    Domains: zoneminder.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/zoneminder.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/zoneminder.jcconnell.com/privkey.pem
  Certificate Name: guacamole.mobileeyecare.com
    Domains: guacamole.mobileeyecare.com
    Expiry Date: 2018-01-12 15:38:17+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/guacamole.mobileeyecare.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/guacamole.mobileeyecare.com/privkey.pem
  Certificate Name: owncloud.jcconnell.com
    Domains: owncloud.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/owncloud.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/owncloud.jcconnell.com/privkey.pem
  Certificate Name: couchpotato.jcconnell.com
    Domains: couchpotato.jcconnell.com
    Expiry Date: 2017-08-12 20:37:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem
  Certificate Name: gitlab.jcconnell.com
    Domains: gitlab.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/gitlab.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.jcconnell.com/privkey.pem
  Certificate Name: unifi.jcconnell.com
    Domains: unifi.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/unifi.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/unifi.jcconnell.com/privkey.pem
-------------------------------------------------------------------------------

Curiouser and curiouser. Can you check the log files for yesterday morning? They should be in /var/log/letsencrypt/, and hopefully will indicate what happened with that cert.

couchpotato is having the same issue as plex.

https://crt.sh/?q=couchpotato.jcconnell.com

Could you “ls -l /etc/letsencrypt/live/couchpotato.jcconnell.com /etc/letsencrypt/live/plex.jcconnell.com”?

Thank you both for the help!

Here is the request from @mnordhoff:

/etc/letsencrypt/live/couchpotato.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:36 README
lrwxrwxrwx 1 root root  54 May 14 17:36 cert.pem -> ../../archive/couchpotato.jcconnell.com-0001/cert1.pem
lrwxrwxrwx 1 root root  55 May 14 17:36 chain.pem -> ../../archive/couchpotato.jcconnell.com-0001/chain1.pem
lrwxrwxrwx 1 root root  59 May 14 17:36 fullchain.pem -> ../../archive/couchpotato.jcconnell.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root  57 May 14 17:36 privkey.pem -> ../../archive/couchpotato.jcconnell.com-0001/privkey1.pem

/etc/letsencrypt/live/plex.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:44 README
lrwxrwxrwx 1 root root  47 Oct 23 00:42 cert.pem -> ../../archive/plex.jcconnell.com-0001/cert1.pem
lrwxrwxrwx 1 root root  48 Oct 23 00:42 chain.pem -> ../../archive/plex.jcconnell.com-0001/chain1.pem
lrwxrwxrwx 1 root root  52 Oct 23 00:42 fullchain.pem -> ../../archive/plex.jcconnell.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root  50 Oct 23 00:42 privkey.pem -> ../../archive/plex.jcconnell.com-0001/privkey1.pem

Did you ever change the destination of any of those links or rename any of the files or directories in /etc/letsencrypt?

Originally, I was running a 12.04 Ubuntu LXC container but I read some information about putting Plex behind the reverse proxy and the benefits of HTTP2. At that time, the Nginx I was running did not support HTTP2 on 12.04. So I created a new container with 16.04, reinstalled Nginx and reconfigured all the settings. I can’t say wither certainty whether I copied the certificate files over to the new container, but it’s a possibility.

However, I added Plex to the Nginx configuration after this whole process, and Plex received a valid certificate at least once, same with Couchpotato.

Are any of the log contents sensitive? If not I will go ahead and post the contents of everything from yesterday.

You have an inconsistent lineage name between couchpotato.jcconnell.com and couchpotato.jcconnell.com-0001 and between plex.jcconnell.com and plex.jcconnell.com-0001. This is usually a sign of having renamed files in /etc/letsencrypt and is fairly likely to be part of what’s breaking the renewals.

Interesting.

Here’s what one of the functional domains looks like:

ls -l /etc/letsencrypt/live/unifi.jcconnell.com
total 7
-rw-r--r-- 1 root root 543 May 14 17:37 README
lrwxrwxrwx 1 root root  43 Sep 18 00:00 cert.pem -> ../../archive/unifi.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  44 Sep 18 00:00 chain.pem -> ../../archive/unifi.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  48 Sep 18 00:00 fullchain.pem -> ../../archive/unifi.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  46 Sep 18 00:00 privkey.pem -> ../../archive/unifi.jcconnell.com/privkey3.pem

So the difference is in the cert3.pem vs. cert0001.pem, etc? What’s the best way to fix this?

Can you show us the output of this command?

ls -l /etc/letsencrypt/{live,archive,renewal}/*

It’s very long, would you prefer it pasted here or in something like a pastbin?

Either way is OK with me.

-rw-r--r-- 1 root root 601 Aug 25 21:19 /etc/letsencrypt/renewal/cloud.jcconnell.com.conf
-rw-r--r-- 1 root root 649 May 14 17:49 /etc/letsencrypt/renewal/couchpotato.jcconnell.com.conf
-rw-r--r-- 1 root root 567 Sep 18 00:00 /etc/letsencrypt/renewal/gitlab.jcconnell.com.conf
-rw-r--r-- 1 root root 588 Sep 18 00:00 /etc/letsencrypt/renewal/guacamole.jcconnell.com.conf
-rw-r--r-- 1 root root 612 Oct 14 12:38 /etc/letsencrypt/renewal/guacamole.mobileeyecare.com.conf
-rw-r--r-- 1 root root 553 Oct 14 12:38 /etc/letsencrypt/renewal/hass.jcconnell.com.conf
-rw-r--r-- 1 root root 581 Sep 18 00:00 /etc/letsencrypt/renewal/owncloud.jcconnell.com.conf
-rw-r--r-- 1 root root 553 Oct 23 00:42 /etc/letsencrypt/renewal/plex.jcconnell.com.conf
-rw-r--r-- 1 root root 617 Oct 24 16:28 /etc/letsencrypt/renewal/proxmox.jcconnell.com.conf
-rw-r--r-- 1 root root 560 Sep 18 00:00 /etc/letsencrypt/renewal/unifi.jcconnell.com.conf
-rw-r--r-- 1 root root 595 Sep 18 00:00 /etc/letsencrypt/renewal/zoneminder.jcconnell.com.conf

/etc/letsencrypt/archive/cloud.jcconnell.com:
total 18
-rw-r--r-- 1 root root 1805 Aug 25 21:19 cert1.pem
-rw-r--r-- 1 root root 1647 Aug 25 21:19 chain1.pem
-rw-r--r-- 1 root root 3452 Aug 25 21:19 fullchain1.pem
-rw-r--r-- 1 root root 1704 Aug 25 21:19 privkey1.pem

/etc/letsencrypt/archive/couchpotato.jcconnell.com-0001:
total 18
-rw-r--r-- 1 root root 1826 May 14 17:36 cert1.pem
-rw-r--r-- 1 root root 1647 May 14 17:36 chain1.pem
-rw-r--r-- 1 root root 3473 May 14 17:36 fullchain1.pem
-rw-r--r-- 1 root root 1704 May 14 17:36 privkey1.pem

/etc/letsencrypt/archive/gitlab.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1809 May 14 17:37 cert1.pem
-rw-r--r-- 1 root root 1809 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1809 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:37 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3456 May 14 17:37 fullchain1.pem
-rw-r--r-- 1 root root 3456 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3456 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:37 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/guacamole.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1818 May 14 17:36 cert1.pem
-rw-r--r-- 1 root root 1818 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1818 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:36 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3465 May 14 17:36 fullchain1.pem
-rw-r--r-- 1 root root 3465 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3465 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:36 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/guacamole.mobileeyecare.com:
total 54
-rw-r--r-- 1 root root 1830 Jun  5 12:02 cert1.pem
-rw-r--r-- 1 root root 1830 Aug 15 12:42 cert2.pem
-rw-r--r-- 1 root root 1830 Oct 14 12:38 cert3.pem
-rw-r--r-- 1 root root 1647 Jun  5 12:02 chain1.pem
-rw-r--r-- 1 root root 1647 Aug 15 12:42 chain2.pem
-rw-r--r-- 1 root root 1647 Oct 14 12:38 chain3.pem
-rw-r--r-- 1 root root 3477 Jun  5 12:02 fullchain1.pem
-rw-r--r-- 1 root root 3477 Aug 15 12:42 fullchain2.pem
-rw-r--r-- 1 root root 3477 Oct 14 12:38 fullchain3.pem
-rw-r--r-- 1 root root 1708 Jun  5 12:02 privkey1.pem
-rw-r--r-- 1 root root 1704 Aug 15 12:42 privkey2.pem
-rw-r--r-- 1 root root 1704 Oct 14 12:38 privkey3.pem

/etc/letsencrypt/archive/hass.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1805 May 29 19:18 cert1.pem
-rw-r--r-- 1 root root 1805 Aug 15 12:42 cert2.pem
-rw-r--r-- 1 root root 1805 Oct 14 12:38 cert3.pem
-rw-r--r-- 1 root root 1647 May 29 19:18 chain1.pem
-rw-r--r-- 1 root root 1647 Aug 15 12:42 chain2.pem
-rw-r--r-- 1 root root 1647 Oct 14 12:38 chain3.pem
-rw-r--r-- 1 root root 3452 May 29 19:18 fullchain1.pem
-rw-r--r-- 1 root root 3452 Aug 15 12:42 fullchain2.pem
-rw-r--r-- 1 root root 3452 Oct 14 12:38 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 29 19:18 privkey1.pem
-rw-r--r-- 1 root root 1704 Aug 15 12:42 privkey2.pem
-rw-r--r-- 1 root root 1708 Oct 14 12:38 privkey3.pem

/etc/letsencrypt/archive/netdata.jcconnell.com:
total 18
-rw-r--r-- 1 root root 1814 Jun  2 13:16 cert1.pem
-rw-r--r-- 1 root root 1647 Jun  2 13:16 chain1.pem
-rw-r--r-- 1 root root 3461 Jun  2 13:16 fullchain1.pem
-rw-r--r-- 1 root root 1704 Jun  2 13:16 privkey1.pem

/etc/letsencrypt/archive/owncloud.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1818 May 14 17:39 cert1.pem
-rw-r--r-- 1 root root 1814 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1814 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:39 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3465 May 14 17:39 fullchain1.pem
-rw-r--r-- 1 root root 3461 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3461 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:39 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/plex.jcconnell.com:
total 36
-rw-r--r-- 1 root root 1805 May 12 13:25 cert1.pem
-rw-r--r-- 1 root root 1805 Oct 23 00:42 cert2.pem
-rw-r--r-- 1 root root 1647 May 12 13:25 chain1.pem
-rw-r--r-- 1 root root 1647 Oct 23 00:42 chain2.pem
-rw-r--r-- 1 root root 3452 May 12 13:25 fullchain1.pem
-rw-r--r-- 1 root root 3452 Oct 23 00:42 fullchain2.pem
-rw-r--r-- 1 root root 1704 May 12 13:25 privkey1.pem
-rw-r--r-- 1 root root 1704 Oct 23 00:42 privkey2.pem

/etc/letsencrypt/archive/plex.jcconnell.com-0001:
total 18
-rw-r--r-- 1 root root 1805 May 14 17:44 cert1.pem
-rw-r--r-- 1 root root 1647 May 14 17:44 chain1.pem
-rw-r--r-- 1 root root 3452 May 14 17:44 fullchain1.pem
-rw-r--r-- 1 root root 1704 May 14 17:44 privkey1.pem

/etc/letsencrypt/archive/proxmox.jcconnell.com:
total 18
-rw-r--r-- 1 root root 1814 Oct 24 16:28 cert1.pem
-rw-r--r-- 1 root root 1647 Oct 24 16:28 chain1.pem
-rw-r--r-- 1 root root 3461 Oct 24 16:28 fullchain1.pem
-rw-r--r-- 1 root root 1704 Oct 24 16:28 privkey1.pem

/etc/letsencrypt/archive/unifi.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1809 May 14 17:37 cert1.pem
-rw-r--r-- 1 root root 1805 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1805 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:37 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3456 May 14 17:37 fullchain1.pem
-rw-r--r-- 1 root root 3452 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3452 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:37 privkey1.pem
-rw-r--r-- 1 root root 1708 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/zoneminder.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1822 May 14 17:38 cert1.pem
-rw-r--r-- 1 root root 1822 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1822 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:38 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3469 May 14 17:38 fullchain1.pem
-rw-r--r-- 1 root root 3469 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3469 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:38 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/live/cloud.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 Aug 25 21:19 README
lrwxrwxrwx 1 root root  43 Aug 25 21:19 cert.pem -> ../../archive/cloud.jcconnell.com/cert1.pem
lrwxrwxrwx 1 root root  44 Aug 25 21:19 chain.pem -> ../../archive/cloud.jcconnell.com/chain1.pem
lrwxrwxrwx 1 root root  48 Aug 25 21:19 fullchain.pem -> ../../archive/cloud.jcconnell.com/fullchain1.pem
lrwxrwxrwx 1 root root  46 Aug 25 21:19 privkey.pem -> ../../archive/cloud.jcconnell.com/privkey1.pem

/etc/letsencrypt/live/couchpotato.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:36 README
lrwxrwxrwx 1 root root  54 May 14 17:36 cert.pem -> ../../archive/couchpotato.jcconnell.com-0001/cert1.pem
lrwxrwxrwx 1 root root  55 May 14 17:36 chain.pem -> ../../archive/couchpotato.jcconnell.com-0001/chain1.pem
lrwxrwxrwx 1 root root  59 May 14 17:36 fullchain.pem -> ../../archive/couchpotato.jcconnell.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root  57 May 14 17:36 privkey.pem -> ../../archive/couchpotato.jcconnell.com-0001/privkey1.pem

/etc/letsencrypt/live/gitlab.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:37 README
lrwxrwxrwx 1 root root  44 Sep 18 00:00 cert.pem -> ../../archive/gitlab.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  45 Sep 18 00:00 chain.pem -> ../../archive/gitlab.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  49 Sep 18 00:00 fullchain.pem -> ../../archive/gitlab.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  47 Sep 18 00:00 privkey.pem -> ../../archive/gitlab.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/guacamole.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:36 README
lrwxrwxrwx 1 root root  47 Sep 18 00:00 cert.pem -> ../../archive/guacamole.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  48 Sep 18 00:00 chain.pem -> ../../archive/guacamole.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  52 Sep 18 00:00 fullchain.pem -> ../../archive/guacamole.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  50 Sep 18 00:00 privkey.pem -> ../../archive/guacamole.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/guacamole.mobileeyecare.com:
total 7
-rw-r--r-- 1 root root 543 Jun  5 12:02 README
lrwxrwxrwx 1 root root  51 Oct 14 12:38 cert.pem -> ../../archive/guacamole.mobileeyecare.com/cert3.pem
lrwxrwxrwx 1 root root  52 Oct 14 12:38 chain.pem -> ../../archive/guacamole.mobileeyecare.com/chain3.pem
lrwxrwxrwx 1 root root  56 Oct 14 12:38 fullchain.pem -> ../../archive/guacamole.mobileeyecare.com/fullchain3.pem
lrwxrwxrwx 1 root root  54 Oct 14 12:38 privkey.pem -> ../../archive/guacamole.mobileeyecare.com/privkey3.pem

/etc/letsencrypt/live/hass.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 29 19:18 README
lrwxrwxrwx 1 root root  42 Oct 14 12:38 cert.pem -> ../../archive/hass.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  43 Oct 14 12:38 chain.pem -> ../../archive/hass.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  47 Oct 14 12:38 fullchain.pem -> ../../archive/hass.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  45 Oct 14 12:38 privkey.pem -> ../../archive/hass.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/owncloud.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:39 README
lrwxrwxrwx 1 root root  46 Sep 18 00:00 cert.pem -> ../../archive/owncloud.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  47 Sep 18 00:00 chain.pem -> ../../archive/owncloud.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  51 Sep 18 00:00 fullchain.pem -> ../../archive/owncloud.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  49 Sep 18 00:00 privkey.pem -> ../../archive/owncloud.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/plex.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:44 README
lrwxrwxrwx 1 root root  47 Oct 23 00:42 cert.pem -> ../../archive/plex.jcconnell.com-0001/cert1.pem
lrwxrwxrwx 1 root root  48 Oct 23 00:42 chain.pem -> ../../archive/plex.jcconnell.com-0001/chain1.pem
lrwxrwxrwx 1 root root  52 Oct 23 00:42 fullchain.pem -> ../../archive/plex.jcconnell.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root  50 Oct 23 00:42 privkey.pem -> ../../archive/plex.jcconnell.com-0001/privkey1.pem

/etc/letsencrypt/live/proxmox.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 Oct 24 16:28 README
lrwxrwxrwx 1 root root  45 Oct 24 16:28 cert.pem -> ../../archive/proxmox.jcconnell.com/cert1.pem
lrwxrwxrwx 1 root root  46 Oct 24 16:28 chain.pem -> ../../archive/proxmox.jcconnell.com/chain1.pem
lrwxrwxrwx 1 root root  50 Oct 24 16:28 fullchain.pem -> ../../archive/proxmox.jcconnell.com/fullchain1.pem
lrwxrwxrwx 1 root root  48 Oct 24 16:28 privkey.pem -> ../../archive/proxmox.jcconnell.com/privkey1.pem

/etc/letsencrypt/live/unifi.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:37 README
lrwxrwxrwx 1 root root  43 Sep 18 00:00 cert.pem -> ../../archive/unifi.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  44 Sep 18 00:00 chain.pem -> ../../archive/unifi.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  48 Sep 18 00:00 fullchain.pem -> ../../archive/unifi.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  46 Sep 18 00:00 privkey.pem -> ../../archive/unifi.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/zoneminder.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:38 README
lrwxrwxrwx 1 root root  48 Sep 18 00:00 cert.pem -> ../../archive/zoneminder.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  49 Sep 18 00:00 chain.pem -> ../../archive/zoneminder.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  53 Sep 18 00:00 fullchain.pem -> ../../archive/zoneminder.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  51 Sep 18 00:00 privkey.pem -> ../../archive/zoneminder.jcconnell.com/privkey3.pem

Thanks! Could you also paste the contents of /etc/letsencrypt/renewal/couchpotato.jcconnell.com.conf and /etc/letsencrypt/renewal/plex.jcconnell.com.conf?

Thank you!!! I really appreciate your time.

cat /etc/letsencrypt/renewal/couchpotato.jcconnell.com.conf
# renew_before_expiry = 30 days
version = 0.12.0
archive_dir = /etc/letsencrypt/archive/couchpotato.jcconnell.com
cert = /etc/letsencrypt/live/couchpotato.jcconnell.com/cert.pem
privkey = /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem
chain = /etc/letsencrypt/live/couchpotato.jcconnell.com/chain.pem
fullchain = /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = a946a2b3f6d26f9291781bdfc6ab0181
webroot_path = /var/www/ssl-proof/couchpotato,
[[webroot_map]]
couchpotato.jcconnell.com = /var/www/ssl-proof/couchpotato

cat /etc/letsencrypt/renewal/plex.jcconnell.com.conf
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/plex.jcconnell.com
cert = /etc/letsencrypt/live/plex.jcconnell.com/cert.pem
privkey = /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem
chain = /etc/letsencrypt/live/plex.jcconnell.com/chain.pem
fullchain = /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = a946a2b3f6d26f9291781bdfc6ab0181
[[webroot_map]]
plex.jcconnell.com = /var/www/ssl-proof/plex

OK, one other thing: which version of those certificates is your web server configuration currently pointed at?