My domain is:
not important (i think)
I ran this command: certbot renew
It produced this output: Cert not yet due for renewal
My web server is (include version):
apache 2.4.10
The operating system my web server runs on is (include version):
debian 8.9
My hosting provider, if applicable, is:
not important (i think)
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no CP, just ssh
so, when i run renew command without forse option certbot says “Cert not yet due for renewal”. Ok, I run it again, but with forse option, like this:
certbot renew --force-renewal
this time certbot show log with text about successfully renew of certificate. In “arhive” folder apear new file with digit 2 in its names (like cert2.pem chain2.pem fullchain2.pem privkey2.pem). Also in “live” folders symlinks now direct to tis new files from “archive” folder (with 2 in names). Ok! As I think, it’s time to restart apache. I do it by command:
service apache2 restart
But now, when I open site and open in browser info about certificate, it shows same old expiration date (Jan 1, 2018)
How is Apache configured? Particularly, SSLCertificateFile, SSLCertificateKeyFile and (if set) SSLCertificateChainFile?
What Certbot command was used to create the certificate? What did the renew command output? What are the configuration files in /etc/letsencrypt/renewal/?
they point to symlinks files in “live” folder
SSLCertificateFile /etc/letsencrypt/live/dmitrykhn.homedns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dmitrykhn.homedns.org/privkey.pem
Creation was month ago, so I just don’t remember exacly. Remember, that it was manualy with “webroot” option.
I was disconected from ssh-console, so exact output was lost. here records from letencrypt log:
2017-10-30 09:37:49,131:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/dmitrykhn.homedns.org/privkey2.pem. 2017-10-30 09:37:49,132:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/dmitrykhn.homedns.org/cert2.pem. 2017-10-30 09:37:49,146:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/dmitrykhn.homedns.org/chain2.pem. 2017-10-30 09:37:49,146:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/dmitrykhn.homedns.org/fullchain2.pem. 2017-10-30 09:37:50,912:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/dmitrykhn.homedns.org.conf.new. 2017-10-30 09:37:50,928:DEBUG:certbot.renewal:no renewal failures
only one file dmitrykhn.homedns.org.conf with content
# renew_before_expiry = 30 days version = 0.10.2 archive_dir = /etc/letsencrypt/archive/dmitrykhn.homedns.org cert = /etc/letsencrypt/live/dmitrykhn.homedns.org/cert.pem privkey = /etc/letsencrypt/live/dmitrykhn.homedns.org/privkey.pem chain = /etc/letsencrypt/live/dmitrykhn.homedns.org/chain.pem fullchain = /etc/letsencrypt/live/dmitrykhn.homedns.org/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = webroot installer = None account = 3b1456033a20346da3fe8577582385ca [[webroot_map]] dmitrykhn.homedns.org = /var/www/html wifi-hotspot.zp.ua = /var/www/html
Now open again (after ctrl + f5) in browser data about certificate and it show NEW date of expiration (jan 28 2018). So, now looks like as certificat was renewed. What it was - don’t know, maybe browser cache?..
Maybe. It sounds weird, but I heard of a browser bug like that once.
Apache wouldn't start using the new certificate until it was reloaded or restarted, but it won't keep using the old certificate after it was restarted.
For what it's worth, you can make Certbot automatically reload Apache with something like 'certbot renew --renew-hook "service apache2 reload"'. ('--deploy-hook' is preferred in newer versions of Certbot, but I think you have an older one.) You can modify the systemd timer/cron job to do that, or set it when creating the certificate with "certbot certonly --webroot", or by editing the renewal config file, or possibly by putting a hook script somewhere in /etc/letsencrypt/, depending on the Certbot package in use.
Additionally, if you use "certbot --apache", Certbot will automatically take care of reloading Apache. (And configuring it!) But it also has to be able to parse and modify your Apache configuration, which isn't always supported, especially with older Certbot versions.
