After renew browser show information about certificate with old date

My domain is:
not important (i think)
I ran this command:
certbot renew
It produced this output:
Cert not yet due for renewal
My web server is (include version):
apache 2.4.10
The operating system my web server runs on is (include version):
debian 8.9
My hosting provider, if applicable, is:
not important (i think)
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no CP, just ssh

so, when i run renew command without forse option certbot says “Cert not yet due for renewal”. Ok, I run it again, but with forse option, like this:

certbot renew --force-renewal

this time certbot show log with text about successfully renew of certificate. In “arhive” folder apear new file with digit 2 in its names (like cert2.pem chain2.pem fullchain2.pem privkey2.pem). Also in “live” folders symlinks now direct to tis new files from “archive” folder (with 2 in names). Ok! As I think, it’s time to restart apache. I do it by command:

service apache2 restart

But now, when I open site and open in browser info about certificate, it shows same old expiration date (Jan 1, 2018)

What’s the domain?

Why force Certbot to renew the certificate again?

How is Apache configured? Particularly, SSLCertificateFile, SSLCertificateKeyFile and (if set) SSLCertificateChainFile?

What Certbot command was used to create the certificate? What did the renew command output? What are the configuration files in /etc/letsencrypt/renewal/?

  2. just for test - what will happend
  3. they point to symlinks files in “live” folder
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
  • Creation was month ago, so I just don’t remember exacly. Remember, that it was manualy with “webroot” option.
  • I was disconected from ssh-console, so exact output was lost. here records from letencrypt log:

2017-10-30 09:37:49, new private key to /etc/letsencrypt/archive/ 2017-10-30 09:37:49, certificate to /etc/letsencrypt/archive/ 2017-10-30 09:37:49, chain to /etc/letsencrypt/archive/ 2017-10-30 09:37:49, full chain to /etc/letsencrypt/archive/ 2017-10-30 09:37:50, new config /etc/letsencrypt/renewal/ 2017-10-30 09:37:50,928:DEBUG:certbot.renewal:no renewal failures

  • only one file with content

# renew_before_expiry = 30 days version = 0.10.2 archive_dir = /etc/letsencrypt/archive/ cert = /etc/letsencrypt/live/ privkey = /etc/letsencrypt/live/ chain = /etc/letsencrypt/live/ fullchain = /etc/letsencrypt/live/
# Options used in the renewal process [renewalparams] authenticator = webroot installer = None account = 3b1456033a20346da3fe8577582385ca [[webroot_map]] = /var/www/html = /var/www/html

Now open again (after ctrl + f5) in browser data about certificate and it show NEW date of expiration (jan 28 2018). So, now looks like as certificat was renewed. What it was - don’t know, maybe browser cache?..

Great. :smile:

Maybe. It sounds weird, but I heard of a browser bug like that once.

Apache wouldn't start using the new certificate until it was reloaded or restarted, but it won't keep using the old certificate after it was restarted.

For what it's worth, you can make Certbot automatically reload Apache with something like 'certbot renew --renew-hook "service apache2 reload"'. ('--deploy-hook' is preferred in newer versions of Certbot, but I think you have an older one.) You can modify the systemd timer/cron job to do that, or set it when creating the certificate with "certbot certonly --webroot", or by editing the renewal config file, or possibly by putting a hook script somewhere in /etc/letsencrypt/, depending on the Certbot package in use.

Additionally, if you use "certbot --apache", Certbot will automatically take care of reloading Apache. (And configuring it!) But it also has to be able to parse and modify your Apache configuration, which isn't always supported, especially with older Certbot versions.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.