Trouble renewing with secondary domains

I previously set up a certificate using both versions of my primary domain ( and as well as some secondary domains that forward to the primary one (,,, and everything has running smoothly until it came time for renewal.

I had since used one of the secondary domains for some testing purposes, so it was no longer pointing to the primary domain, and so it wasn’t passing verification. And I’m not even sure why the other secondary domains were having DNS issues.

I realize now though that it wasn’t necessary to include those secondary domains on the certificate (at least I think that’s correct), and to bypass issues with the secondary domains, I’d like to simply start over again and only create a certificate for the primary domain (and the WWW-version of the domain name).

To my understanding, I can run the certonly command, generate the new certificate, and then replace the current certificate with the new one.

And so far, I ran…

~/certbot-auto certonly -d -d

…which resulted in…
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

I’m unclear though on what to do with these files, as /etc/letsencrypt/live/ contains 4 files, not 2, and they’re not even named the same: cert.pem, chain.pem, fullchain.pem, and privkey.pem

Any helpful input regarding how to install the new key and CSR (and perhaps clarify whether these are the only steps necessary for replacing the old certificate) would be great appreciated!

My operating system is (include version): CentOS 6.8

My web server is(include version): Apache 2.2.15

My hosting provider, if applicable, is: HostWinds

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, ZPanel

Hi @advantagen,

I think we need to change the output of Certbot in this regard, because the “Generating key” and “Generating CSR” messages don’t refer to anything that’s useful for most users.

The files that you see in /etc/letsencrypt/live/ are indeed the ones you’re meant to use. For Apache 2.2, if you edit your Apache configuration files yourself, the cert.pem goes with SSLCertificateFile, the privkey.pem goes with SSLCertificateKeyFile, and the chain.pem goes with SSLCertificateChainFile. If you instead use an option inside ZPanel to enter these files, maybe you can tell us what ZPanel is asking for.

Hey there @schoen,

I actually just made my way through, only to end up with …

Error: Account registration failed. Please start back at Step 1. { "type": "urn:acme:error:badNonce", "detail": "JWS has invalid anti-replay nonce gpXHdZKoJ_31ZdnWfh_Qmf-gdPQAdAuoobyZx3AfDD4", "status": 400 }

Setting that aside for the moment though, I’m not sure if you realize that, if I’m correct, the files that are currently in /etc/letsencrypt/live/ refer to the secondary domains, which I no longer wish to include. But maybe you mean there’s a way to edit those files so that they don’t include the other domains before renewing?

I can see where they’re listed in the httpd-hosts.conf file…

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

…and I guess I’m just not sure how to update them to reflect only the primary domains.

Does that make sense?

By the way, knowing where ZPanel stores this config file, I’m not even using ZPanel. It’s usually more of a pain in the ass than it’s worth, haha.

I welcome your thoughts and appreciate your assistance :grin:

Well, you said you ran certbot certonly so I was figuring that it succeeded and already obtained the new certificate that you need! Did it print a “Congratulations!” message at the end?

If you already had an /etc/letsencrypt/live/ before, you might have an with the new certificate, due to a rule that Certbot normally refuses to modify existing certificate lineages by removing names from them. shows that you did successfully issue a new cert containing just the two names you wanted, so you just need to find that certificate and change your Apache configuration to point to it. If you have a recent enough Certbot version, you can also get useful hints about existing certificates with the certbot certificates command.

Oh cool, I didn’t even notice that.

Yep, I updated the httpd config file with the new certs, restarted httpd, and everything’s happy. Thank you for pointing that out :slight_smile:

In the future then, I think all I’ll need to do is run ~/certbot-auto renew since there won’t be any issues with the other domains; correct?

Do you happen to have the commands handy that I’d need to put that in a cron job which runs every 60 days?

You'd want to specify the explicit path to certbot-auto, but otherwise you shouldn't need to add anything. But run it daily, not every 60 days--certbot will check your existing cert and only attempt to renew it if it has less than 30 days' (by default) validity remaining. If you only run the renewal every other month, and there's a glitch at the time you try to renew, your cert will be expired for a month the next time the renewal attempt runs.

Ok, thank you very much for the assistance!

Two other things to point out:

  • if you want the renewal process to reload your Apache configuration, you should add --renew-hook "apachectl reload" or a similar command that succeeds in doing so on your system (so that this command will be run for you by Certbot if any certificates were renewed).

  • if you still do have the other multi-domain certificate, you should probably delete it so that Certbot stops attempting to renew it!

@danb35’s point about running every day instead of every 60 days is totally right.

Aaaa, good thinking! I would’ve totally forgotten that the httpd service needs restarted. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.