Renew Certificates Only for Successful Domains

On my server I want to renew certificates only for domains that succeed the verification challenge, how to proceed? Currently I face:

```bash
certbot --nginx-ctl /usr/sbin/nginx --force-renew renew
```
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitea.lemnoslife.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for v.lemnoslife.com and 6 more domains
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitea.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for crawler.yt.lemnoslife.com and 5 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: crawler.yt.lemnoslife.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for crawler.yt.lemnoslife.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for crawler.yt.lemnoslife.com - check that a DNS record exists for this domain

Domain: private.yt.lemnoslife.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for private.yt.lemnoslife.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for private.yt.lemnoslife.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate gitea.lemnoslife.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitlab.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for private.yt.lemnoslife.com and 9 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: crawler.yt.lemnoslife.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for crawler.yt.lemnoslife.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for crawler.yt.lemnoslife.com - check that a DNS record exists for this domain

Domain: private.yt.lemnoslife.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for private.yt.lemnoslife.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for private.yt.lemnoslife.com - check that a DNS record exists for this domain

Domain: yt4.lemnoslife.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for yt4.lemnoslife.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for yt4.lemnoslife.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate gitlab.lemnoslife.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/overleaf.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for overleaf.lemnoslife.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pim.etesync.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for pim.etesync.lemnoslife.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/private.yt.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for private.yt.lemnoslife.com and yt4.lemnoslife.com
Failed to renew certificate private.yt.lemnoslife.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: too many failed authorizations (5) for "private.yt.lemnoslife.com" in the last 1h0m0s, retry after 2026-03-31 23:39:09 UTC: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-identifier-per-account

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/server0.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for server0.lemnoslife.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/v.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for v.lemnoslife.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/videos.lemnoslife.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for videos.lemnoslife.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following renewals succeeded:
/etc/letsencrypt/live/gitea.lemnoslife.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/overleaf.lemnoslife.com/fullchain.pem (success)
/etc/letsencrypt/live/pim.etesync.lemnoslife.com/fullchain.pem (success)
/etc/letsencrypt/live/server0.lemnoslife.com/fullchain.pem (success)
/etc/letsencrypt/live/v.lemnoslife.com/fullchain.pem (success)
/etc/letsencrypt/live/videos.lemnoslife.com/fullchain.pem (success)

The following renewals failed:
/etc/letsencrypt/live/gitea.lemnoslife.com/fullchain.pem (failure)
/etc/letsencrypt/live/gitlab.lemnoslife.com/fullchain.pem (failure)
/etc/letsencrypt/live/private.yt.lemnoslife.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
```

Mar 31, 11:44pm

Your issue stems from Certbot attempting to renew all certificates in your configuration, but failing for domains where DNS challenges (or other challenges) are not passing. You want to renew only those certificates that pass the verification challenge—i.e., only the ones that Certbot can successfully verify.

Solution: Renew Only Successfully Verified Certificates

1. Check Which Certificates Can Be Renewed

Certbot does not have a built-in flag to "only renew if the challenge passes," but you can:

Dry-run renewals to see which domains would succeed before actually renewing.
Manually specify only the domains that passed in your last successful renewal.

Step 1: Dry-run Renewal

Run a dry-run to see which certificates would pass:

bash
certbot renew --dry-run --nginx-ctl /usr/sbin/nginx

This will simulate the renewal process and show you which domains would succeed.

Step 2: Identify Successfully Verified Domains

From your last successful renewal, you see:

gitea.lemnoslife.com-0001
overleaf.lemnoslife.com
pim.etesync.lemnoslife.com
server0.lemnoslife.com
v.lemnoslife.com
videos.lemnoslife.com

These are the domains that did pass the challenge.

2. Renew Only the Successfully Verified Domains

You can use the --cert-name or --domains flag to target only the certificates you want to renew.

Option A: Use `--cert-name`

bash
certbot renew --cert-name gitea.lemnoslife.com-0001 --nginx-ctl /usr/sbin/nginx
certbot renew --cert-name overleaf.lemnoslife.com --nginx-ctl /usr/sbin/nginx
certbot renew --cert-name pim.etesync.lemnoslife.com --nginx-ctl /usr/sbin/nginx
certbot renew --cert-name server0.lemnoslife.com --nginx-ctl /usr/sbin/nginx
certbot renew --cert-name v.lemnoslife.com --nginx-ctl /usr/sbin/nginx
certbot renew --cert-name videos.lemnoslife.com --nginx-ctl /usr/sbin/nginx

Option B: Use `--domains`

If you want to renew all domains in a certificate config file:

bash
certbot renew --domains gitea.lemnoslife.com,v.lemnoslife.com --nginx-ctl /usr/sbin/nginx

(Replace the domains with the ones you want to renew.)

3. Automate the Process

If you want to automate this, you can write a script that:

Parses the output of certbot renew --dry-run to identify which certificates would succeed.
Only renews those certificates.

Example Script

bash
#!/bin/bash

# Dry-run to get successful domains
successful_domains=(
    "gitea.lemnoslife.com-0001"
    "overleaf.lemnoslife.com"
    "pim.etesync.lemnoslife.com"
    "server0.lemnoslife.com"
    "v.lemnoslife.com"
    "videos.lemnoslife.com"
)

# Renew only the successful domains
for domain in "${successful_domains[@]}"; do
    certbot renew --cert-name "$domain" --nginx-ctl /usr/sbin/nginx
done

Save this as renew_certs.sh, make it executable (chmod +x renew_certs.sh), and run it.

4. Debugging Failed Renewals

For the domains that failed (gitea.lemnoslife.com, gitlab.lemnoslife.com, private.yt.lemnoslife.com), check:

DNS records: Ensure A and AAAA records exist for all domains.
Nginx configuration: Ensure Certbot can temporarily modify your Nginx config for the challenge.
Rate limits: You hit a rate limit for private.yt.lemnoslife.com. Wait before retrying.

5. Automate with Certbot Hooks (Advanced)

You can use Certbot's --pre-hook and --post-hook to run checks before/after renewal, but this is more complex.

Summary Table

Dry-run renewal

certbot renew --dry-run --nginx-ctl /usr/sbin/nginx

Renew only successful domains

certbot renew --cert-name DOMAIN --nginx-ctl /usr/sbin/nginx

Automated script

See above

Let me know if you want help writing a more sophisticated script or debugging a specific domain!

Mar 31, 11:44pm

This is a shared conversation and may include unverified content that doesn't reflect Mistral AI's views. Login to resume chatting.

Solution: Renew Only Successfully Verified Certificates

1. Check Which Certificates Can Be Renewed

Step 1: Dry-run Renewal

Step 2: Identify Successfully Verified Domains

2. Renew Only the Successfully Verified Domains

Option A: Use --cert-name

Option B: Use --domains

3. Automate the Process

Example Script

4. Debugging Failed Renewals

5. Automate with Certbot Hooks (Advanced)

Summary Table

Solution: Renew Only Successfully Verified Certificates

1. Check Which Certificates Can Be Renewed

Step 1: Dry-run Renewal

Step 2: Identify Successfully Verified Domains

2. Renew Only the Successfully Verified Domains

Option A: Use --cert-name

Option B: Use --domains

3. Automate the Process

Example Script

4. Debugging Failed Renewals

5. Automate with Certbot Hooks (Advanced)

Summary Table

Option A: Use `--cert-name`

Option B: Use `--domains`

Option A: Use `--cert-name`

Option B: Use `--domains`