Failed to obtain certificate

Hi, I just migrated/restored my Freedombox to another system and mostly everything is working, except it seems the let’s encrypt cert expired mid June and didn’t seem to want to renew, either on the old machine, or the new one. It appears to be complaining that it cannot decide which domain to use? I think that is the problem, but I don’t know how to fix it. :frowning:

This is the error I am getting when attempting to renew the cert from the Let’s Encrypt section in the FB web menu:
*‘PLACEHOLDER’ in place of the actual domain name

Failed to obtain certificate for domain (“Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator webroot, Installer None\nMissing command line flag or config entry for this setting:\nPlease choose an account\nChoices: [‘ (f9ed)’, ‘Freedombox.freedombox.local@2023-07-25T05:33:44Z (a9ea)’]\n”, b’‘, b’\x1b[31m ERROR\x1b[0m \x1b[94m__main__ \x1b[0m

Problem Description
Trying to Renew Cert using Let’s Encrypt

Steps to Reproduce

  1. Select Re-obtain certificate

Expected Results
Renew expired cert

Actual results
Error obtaining certificate



  • FreedomBox version: Debian GNU/Linux 11 (bullseye) and FreedomBox version 23.6.2
  • Hardware: PC
  • How did you install FreedomBox?: on Debian server

Is your domain name right in plinth/sys/config?

Is your account name PLACEHOLDER, or is it SOMETHING_ELSE? In this case you’d do:

The domain name field needs the external FQDN for the host, not the DNS domain. I interpret the domain name field as, “what is the DNS record to use with the certificate?”

Thanks for the reply. That bit seems fine. Just trying to re-obtain the cert again from plinth/sys/letsencrypt/ and I notice the error shows:

Failed to obtain certificate for domain ("Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nMissing command line flag or config entry for this setting:\nPlease choose an account\nChoices: [‘ (f9ed)’, ‘Freedombox.freedombox.local@2023-07-25T05:33:44Z (a9ea)’

I don’t know if there is supposed to be 2 choices (one appears to be a local (freedombox.local) and one is my public facing domain ( which is a side issue perhaps? )

Both domains referenced in the error above have ‘freedombox.’ added to the beginning, which is obviously wrong. My domain is not and never was ‘

My public facing domain should be: ‘

I don’t know why it shows ‘’, unless I did something wrong or the restoration did something?

Any idea where I can edit the hostname details to remove the ‘freedombox.’ prefix?

Still struggling with this. Been poking around without any change.

Running Diagnostics and everything is okay except for the Let’s Encrypt part. The domain I am using is correct, but it’s appearing twice. I don’t know if that is normal.

When I go to the domain it brings me to my FB login, which is what I expect.

Maybe just asking a dumb question here but if you do a dig command to see what the DNS servers return as an IP address, is it yours?

Indeed the dig command reveals the correct IP, as does sys/dynamicdns from the FB settings. All the same IP, so nothing strange there.

I gather from the Let’s Encrypt error that it cannot choose between two entries, which leads me to believe that is the source of the problem.

This FB was recently restored from a backup (all possible settings restored), so my guess is that either settings have been duplicated during the restore, or I just did something dumb (most likely) and so I’m just trying to figure out how best to undo that based on the error.

Having said that, it appears my cert is valid now until Oct and everything seems to be working, so maybe not a show stopper per se, but something still isn’t right.

Just a thought… is your FBX connected to a router/modem? if so, you may need check that your ports 80 and 443 are forwarded to the same ports on your FBX

Yes, Thanks. I appreciate your response. Initially that’s how I was able to get a valid cert. However, the problem is not with the connection, it’s with the choice of domains as there are two. Just tried it again and it’s the same message as before.

What a joke this is. Still wondering why I would even keep trying when I’m just going around in circles wasting my time. I tried running letsencrypt from the terminal in verbose mode and im getting permissions issues with an account that has admin rights to everything. Why is this so difficult? I thought this project was supposed to solve more problems than it seemingly creates. I realize I’m ranting and all that, but honestly wondering what the point is to this when I have to constantly try to figure out problems after updates break something. Not everyone wants to tinker with computer settings all day.

letsencrypt -v
The following error was encountered:
[Errno 13] Permission denied: ‘/var/log/letsencrypt/.certbot.lock’
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at See the logfile /tmp/certbot-log-l4or89z_/log or re-run Certbot with -v for more details.

The problem seems to be that my domain is set in Freedombox twice (must have happened after restoring my backup on a new instance), so Certbot can’t decide which one to use/renew since they are identical domains.

How can I take one of these out, and does it matter which one?

*I tried deleting the cert and then restoring from backup for lack of any other knowledge, but it’s the exact same message. Is there a reason why two identical entries would be showing up here?

On the Let’s encrypt app page, after clicking on the settings icon you can try to “rerun setup”. If that doesn’t help, try this workaround:

I appreciate the response. I don’t seem to have a ‘rerun setup’ option, if I am looking in the right place? From the Lets Encrypt app page:

Looking at the workaround, there seems to be some key details missing. I don’t know where to find this information. I presume I would need to use the terminal, but where do I go, what do I do exactly so I don’t break something? Thank You.

*Maybe I should just go back to Debian 11, install FB again, then restore?

Oh, I’m sorry. I forgot the Git link is geared towards the dev team; the config files are located under /etc/apache2/sites-available/.
You can try:

  1. sudo cp /etc/apache2/sites-available/ /etc/apache2/sites-available/
  2. sudo a2ensite
  3. sudo systemctl reload apache2

To revert the changes, run sudo a2dissite && sudo systemctl reload apache2

Thanks for the response. I have 3 .conf files in /etc/apache2/sites-available/:

  1. 000-default.conf *contents seem default and not of importance on

  2. default-ssl.conf

  3. freedombox-default.conf

*I see for both the default-ssl.conf and the freedombox-default.conf files they contain:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

*Which one do I copy please?

You should leave those intact. Instead, you should see a conf file with the title of your domain name. Does it not exist?

This is what I have:

On the web interface, can you submit your domain name under It seems like the domain name wasn’t restored.

Yes the domain name is there already. Should I try to restore an older backup of my lets encrypt data then? Maybe the previous backup has a problem?

This has been resolved. For what it’s worth, here is what I had to do:

I installed a fresh instance of FB on top of Debian 11 server (ProxMox VM) and restored one of my full backups. Then purely from the web interface in the lets encrypt section, I deleted the cert that was there and obtained a new one.

I’m using Matrix and initially that wasn’t working, so I had to disable it, select ‘update setup’, then enable, and ‘update setup’ again, then it worked.

Hope this helps. I learned that upgrading FB from Debian 11 to 12 is generally not a good idea if you are going to be dumb like me and not have a way to revert back quickly.


Hello @Frankie,

Lets hope the next freedombox full upgrade to Debian 13, codename “Trixie” will go as it should do !

If not we are better prepared ?

Regards: peter

1 Like