SSL certificate renewal fails to include "www" on certificate

Atrelix · April 7, 2025, 6:37pm

Description

SSL certificates successfully renew via Let’s Encrypt, but the “www” sub-domain is not included (removed) when renewing, despite being previously selected. Once the “www” sub-domain is added, reissuing the certificate works without any issues as expected.

However, the issue repeats after a couple months: once the certificate is close to expiration, renewal is triggered, but the “www” selection is seemingly removed and the new certificate issued with only the base domain “example.com”.

I’ve tried searching around the forums for similar issues, but haven’t seen anything regarding this specific situation.

Environment

Kernel: Linux 4.18.0-553.46.1.el8_10.x86_64

# cpcmd misc:cp-version
revision: 2534956605b72c08231f89d983e79cdf5ccf7415
timestamp: 1743708692
ver_maj: 3
ver_min: 2
ver_patch: 46
ver_pre: 5-g253495660
dirty: false
debug: false

msaladna · April 7, 2025, 6:43pm

Set [letsencrypt] => alternative_form to true.

cpcmd scope:set cp.config letsencrypt alternative_form true

Hostnames will get dropped during renewal if any subdomain - www included - fails validation checks.

Any such errors are emailed both to the site owner (siteinfo,email value) as well as the administration if [crm] => copy_admin is set. By default, this delivers to root and can retrieved from the command-line using mutt.

Atrelix · April 7, 2025, 8:06pm

Thank you! I wasn’t able to find any record of failure emails in root mailbox, but I’ve now set crm => copy_admin, so hopefully that will work in the future.

I’m assuming for letsencrypt => alternative_form, only one of either the root domain or “www” subdomain need to validate to the correct IP for both to pass validation check, and allow for the certificate to be renewed?

msaladna · April 8, 2025, 3:07am

No, both are checked. Any failing hostname in a bundle will result in Let’s Encrypt to reject the order. Account > Settings > SSL. Enable “Strict Tolerance” to disable this behavior: if any hostname would be dropped to complete the request, then no renewal order is submitted.

I recommend using a wildcard certificate (*.domain.com), which includes www as well as any subdomain (including mail., ftp., etc). In order to use a wildcard, DNS must be managed directly by ApisCP as only DNS validation is available for wildcards.