Today was my first lets encrypt renewal and it failed at dawn I have read till: Let’s Encrypt Error FAQ And I think the error relates to: - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that. Both the certificate creation and certificate renewal are not taking into account aliasdomain with different dns records that point to a totally different domain. This certificate should not be created under the main certificate that uses the correct dns and domain. Code: 2021-03-06 03:04:01,136:WARNING:certbot.renewal:Attempting to renew cert (mydomain.org) from /etc/letsencrypt/renewal/mydomain.org.conf produced an unexpected error: Missing command line flag or config entr$ Select the webroot for mydomain.org: Choices: ['Enter a new webroot', '/usr/local/ispconfig/interface/acme'] 2021-03-06 03:04:01,177:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed: 2021-03-06 03:04:01,177:ERROR:certbot.renewal: /etc/letsencrypt/live/mydomain.org/fullchain.pem (failure)
A Let's Encrypt SSL cert of a website contains all domains, sub- and alias domains of the website that you added in ISPConfig to that website. If I understand you correctly, you changed DNS records of an alias domain to a different server after you created the initial SSL cert but you missed removing it in ISPConfig and therefore it's still in the LE cert? To fix that, delete the alias domain that is not pointing to this website in ISPConfig.
Thank your for the reply. Not exactly till. The process was: 1. Old old.domain.com (sub domain) of different domain. 1.a. with website 1.b. with dns record (record still exists) since google is taking forever to move links via 302 1.c. with SSl (not lets encrypt) 2. newdomain.com 2.a. website 1.a. was re-used for the new domain 2.b. new dns record. 2.b.b. new aliasdomain old.domain.com -> newdomain.com 2.c. New SSL Lets Encrypt In 2.c. 3 lets encrypt certificates were created succefully 3 months ago newdomain.com www.newdomain.com and old.domain.com
That's just one cert and not 3 certs, all domains of a site are in one cert and there is never more than one cert used by a website. You have to ensure that all domains, sub- and alias domains of the site point to the right IP address, 301 and 302 redirects don't matter and do not count as pointing to a specific server. If one of the domains included in that cert are not pointing to the server IP, then you must remove the sub or alias domain in ispconfig or you must fix the DNS record to point it back to the right IP. In case you have an old cert for a domain that does not exist anymore because you e.g. renamed the website, then you must delete that unused cert using certbot command as ISPConfig can not know if the cert is used by other services and therefore, it can't delet the cert. Beside that, you can also force ISPConfig to create a new cert by unticking let's encrypt checkbox of the site, press save, edit the settings again, enable let's encrypt and press save. But this requires of course that all domains, sub and aliasdomains that you added for that site in ISPConfig are indeed pointing to the IP of this server in DNS,otherwise LE won't issue a cert.
All records point to the same ISPCONFIG ip, this is all in the same server. "force ISPConfig to create a new cert by unticking let's encrypt checkbox of the site," Did that and it worked. Fails on renew. Maybe I'm missing the logic of a website SSL creating SLLs for aliasdomain of a totally different domain! In my head this is a option inside aliasdomain.
You can not know if it fails to renew again as the renewal of the cert that you created today is due in a few months. And it can not renew today if you re-created it today as I suggested you to do. And it won't fail to renew in a few months unless you point domains that are included in this cert to a different server. The domain name does not matter for this at all. I guess you don't know what a multidomain SSL cert is, which is available from all SSL authorities. LE certs are so-called multi domain SSL certs, they can contain up to 100 different domains in the same SSL cert.
It tried a renew today from 3 months ago. This is the original thread when I consider using let's encrypt. https://www.howtoforge.com/communit...iasdomain-subdomains-other.85787/#post-413662 Sure I know SAN and wildcard certs. So, I wonder where is the above error coming from: 2021-03-06 03:04:01,136:WARNING:certbot.renewal:Attempting to renew cert (mydomain.org) from /etc/letsencrypt/renewal/mydomain.org.conf produced an unexpected error: Missing command line flag or config entr$ Select the webroot for mydomain.org: Choices: ['Enter a new webroot', '/usr/local/ispconfig/interface/acme']
An error in the renewal conf file that created and managed by certbot cause by a bug in some older cerbot versions: https://community.letsencrypt.org/t...-flag-or-config-entry-for-this-setting/111211 Fix the renewal conf file manually and update certbot. The issue is not related to ISPConfig btw.
