Auto renew cert with wildcard

Hi ! The thing comes from this topic:

The thing is now, I use this command to renew cert and it works perfect(or run without errors):
certbot certonly
–dns-digitalocean
–dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini
–dns-digitalocean-propagation-seconds 60
-d ‘*.demoswp.com’
-d demoswp.com

How can I do to renew the cert ?
I had in my crontab this line:
/usr/local/bin/certbot renew

does it will work ?

AND … The console said me certificate expire in 2019/08/08 but certificate in chrome or in webpages said previous expiration date (2019-05-27)

/usr/local/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: demoswp.com
    Domains: *.demoswp.com demoswp.com
    Expiry Date: 2019-08-08 17:22:28+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/demoswp.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/demoswp.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://crt.sh/?q=demoswp.com
https://www.ssllabs.com/ssltest/analyze.html?d=demoswp.com


My domain is:
demoswp.com

I ran this command:
certbot certonly
–dns-digitalocean
–dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini
–dns-digitalocean-propagation-seconds 60
-d ‘*.demoswp.com’
-d demoswp.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-digitalocean, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for demoswp.com
dns-01 challenge for demoswp.com
Unsafe permissions on credentials configuration file: /root/.secrets/certbot/digitalocean.ini
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/demoswp.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/demoswp.com/privkey.pem
   Your cert will expire on 2019-08-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nop

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


Hi @anibalardid

crt.sh is currently buggy. You have created a new certificate ( https://check-your-website.server-daten.de/?q=demoswp.com ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
904483810 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-10 17:22:28 2019-08-08 17:22:28 *.demoswp.com, demoswp.com
2 entries duplicate nr. 1
845639864 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-03 17:37:27 2019-07-02 17:37:27 mailrelay.demoswp.com
1 entries
784375402 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-02-26 19:16:18 2019-05-27 19:16:18 *.demoswp.com, demoswp.com
2 entries

But crt.sh doesn’t list it and you don’t use it. You use

CN=*.demoswp.com
	26.02.2019
	27.05.2019
expires in 17 days	*.demoswp.com, demoswp.com - 2 entries

But if you use certonly, the certificate isn’t installed.

Perhaps it’s enough if you reload / restart your server.

So do that - then recheck your domain.

Hi ! thanks for your answer …
Sorry for my fault, how can I run it correctly ? wihtout certonly ?
I copied it from digitalocean tutorial

Rechecked your domain - https://check-your-website.server-daten.de/?q=demoswp.com

Now you use the new certificate:

CN=*.demoswp.com
	10.05.2019
	08.08.2019
expires in 90 days	*.demoswp.com, demoswp.com - 2 entries

What did you changed? Restart the server?

If this is enough, add a --deploy-hook to automate that:

Thanks ! Yes, I restarted apache, that previously i forget it :slight_smile:

to renew it … in cron …
what command I need to run ?
certbot renew is ok ?

Also, I have friend that cant enter to my page.

It receive alert that cant access to page.
“This site cant provide secure connection”

He tried also with private browsing.

What can we try to fix it ?

There is a new check of your domain - https://check-your-website.server-daten.de/?q=demoswp.com - created yesterday, 14.05.2019 07:56:10.

There is no problem visible, non-www and www are secure.

The friend should share a screenshot.

Perhaps he had used a subdomain with www, so www.subdomain.demoswp.com was used. That isn’t secure.

HI !
Hi sendme 2 screenshots, here you can see both:
Imgur
Imgur

Checked your demoswp.com via Ssllabs:

https://www.ssllabs.com/ssltest/analyze.html?d=demoswp.com&hideResults=on

There is a good Grade A.

Looks like your friend has a too old client.

1 Like

Thats strange, he is my partner in my project :frowning:

Anything that I can try ?

Is possible to create new 100% clean certificate ?

It’s not a problem of the certificate.

It’s a problem of the device your partner uses.

If Ssllabs shows a Grade A, the webserver configuration should work with all clients max. 10 years old.

Only - new - idea: Your partner uses a firewall or a anti virus software that tries to change something.

Ssllabs has a client check:

https://www.ssllabs.com/ssltest/viewMyClient.html

Your partner should use that page to check his device / browser.

1 Like

THANKS SO MUCH !

I will send this comment to him, so, we wait the response :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.