LetsEncrypt certificate not renewing

Hello all. My LetsEncrypt certificate expired recently, on the 4th, and all attempts to renew it have failed. I’ve read quite a few posts here by people with similar issues, but none of those solutions (rebuilding the container, running manual renewal commands, etc) have worked for me.

Following the troubleshooting section of the guide, I discovered an error in my logs (./launcher logs app):

[Fri Dec  6 05:30:05 PM UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Dec  6 05:30:05 PM UTC 2024] Multi domain='DNS:discourse.[DOMAIN1].org,DNS:discourse.[DOMAIN1].org,DNS:[DOMAIN2].org'
[Fri Dec  6 05:30:05 PM UTC 2024] Getting domain auth token for each domain
[Fri Dec  6 05:30:07 PM UTC 2024] Getting webroot for domain='discourse.[DOMAIN1].org'
[Fri Dec  6 05:30:08 PM UTC 2024] Getting webroot for domain='discourse.[DOMAIN1].org'
[Fri Dec  6 05:30:08 PM UTC 2024] Getting webroot for domain='[DOMAIN2].org'
[Fri Dec  6 05:30:08 PM UTC 2024] Verifying: discourse.[DOMAIN1].org
[Fri Dec  6 05:30:08 PM UTC 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Dec  6 05:30:12 PM UTC 2024] Pending, The CA is processing your order, please just wait. (2/30)
[Fri Dec  6 05:30:15 PM UTC 2024] Pending, The CA is processing your order, please just wait. (3/30)
[Fri Dec  6 05:30:19 PM UTC 2024] Pending, The CA is processing your order, please just wait. (4/30)
[Fri Dec  6 05:30:22 PM UTC 2024] Success
[Fri Dec  6 05:30:22 PM UTC 2024] Verifying: discourse.[DOMAIN1].org
[Fri Dec  6 05:30:23 PM UTC 2024] Success
[Fri Dec  6 05:30:23 PM UTC 2024] Verifying: [DOMAIN2].org
[Fri Dec  6 05:30:23 PM UTC 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Dec  6 05:30:27 PM UTC 2024] [DOMAIN2].org:Verify error:198.49.23.145: Invalid response from http://[DOMAIN2].org/.well-known/acme-challenge/ohJAvgwBR81O8qmzsMPx-ZnmxoKOPAfuGCz0VZJeFWk: 404
[Fri Dec  6 05:30:27 PM UTC 2024] Please check log file for more details: /shared/letsencrypt/acme.sh.log
CN = discourse.[DOMAIN1].org
error 10 at 0 depth lookup: certificate has expired
error fullchain.cer: verification failed

First of all, why are there two domains showing up here? I only need a certificate on DOMAIN1, the domain where our Discourse instance lives. DOMAIN2 is our SMTP relay host, and already has a certificate.

Secondly, the LetsEncrypt log file mentioned (/shared/letsencrypt/acme.sh.log) does not exist, or at least I can’t find it at the location it’s giving.

Most importantly, is there a way to make the script stop looking at DOMAIN2, and just successfully renew the certificate on DOMAIN1?

Is this a standard install? Do you have a reverse proxy?

We’re running on a Digital Ocean droplet, installed using their script, but it seems like that’s still what you’d consider a standard install. Cloudflare is managing DNS, but the orange cloud is turned off. No reverse proxy exists that I’m aware of.

That ip address isn’t discourse. Is your DNS broken? Do you have multiple A records?

What is your hostname?

Correct. That IP address belongs to [DOMAIN2], a different domain we own which has nothing to do with Discourse, which goes back to my original question of why that domain and IP are even showing up in the logs?

DNS is working fine. I can still access the site if I bypass the browser’s warning about the expired certificate. Our other non-Discourse website is working just fine as well. Our hostname (the Discourse one, not the other one) is discourse.gomomentum.org.

This was a tough one! I just couldn’t come up with a reason that let’s encrypt would be going to the wrong host. Turns out it’s not always DNS.

tl;dr: You told let’s encrypt to get certs for your bare domain in addition tothe Discourse one, and later changed DNS for the bare domain to point to your other site.

And the longer version . . .

One day, you wanted Discourse to handle requests for not only discourse.gomomentum.org but also gomomentum.org, so you added a stanza to your app.yml as described here: Set up Let’s Encrypt with multiple domains / redirects

So, let’s encrypt requests checked that both of those domains were originally going to your Discourse server.

This explains why those requests for SOME OTHER DOMAIN were going to let’s encrypt.

Then, another day, likely years later, but sometime in the past 3 months, someone decided that gomomentum.org should go to your main site and not the Discourse site anymore. And at that point, let’s encrypt stopped working, but the certs last for 3 months, so by the time this happened, it was mostly impossible to connect the DNS change with this cert renewal failing to work.

I removed that stanza from your app.yml and did a rebuild and you’re back in business!

Indeed, I remember now, I fiddled a lot with the domain stuff when I was having email issues a few months back. This seems to be an unintended side effect of all the guesswork I did back then. Thanks, Jay!