I have two domains, domain.com and sub.domain.com.
I am using nginx. And I used the --nginx flag.
Running certbot renew --dry-run would result in sub.domain.com successfully renew and domain.com failing to do so, with the following output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Challenge failed for domain domain.com
http-01 challenge for domain.com
Cleaning up challenges
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
However, simply removing conf file for sub.domain.com would make the renewal work for domain.com.
Which was weird, and after more testing, here is what I found out.
At the very end of both domain's conf file, I have something like this:
server {
if ($host = domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name domain.com;
listen 80;
return 404; # managed by Certbot
}
And for sub.domain.com it is:
server {
if ($host = sub.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name sub.domain.com;
listen 80;
listen [::]:80;
return 404; # managed by Certbot
}
For some reason conf file of sub.domain.com had listen [::]:80; in it.
If I remove it, then now certbot renew --dry-run works for both domain without issues.
On the contrary if I add it on domain.com conf file, then it also works.
That was pretty hard to find out...
Can anybody explain to me what was going on?