Browsers don't recognize renewed certificate

Please replace the Expired Certificate (good idea to keep a copy until it is all working) with the New Certificate. And then restart the Apache server service or reboot the machine.


I tried that, but the problem is that the new certificate is not recognized. Checks still result in "certificate expired" messages.

@twellit, the site is serving 04:60:8E:71:E6:6F:E9:10:EE:06:95:80:61:5E:60:F8:2A:42 — that is, this certificate. Can you find that certificate anywhere on your server's disk now? Can you find any reference to it in your server's configuration file?


Sorry, I am not that experienced with this. Do I have to look for a .cert file? What would be a reference to the certificate?

A worthwhile thing to try first is sudo certbot certificates; after that you could conceivably try

sudo find /etc -name '*pem' -print -exec openssl x509 -serial -noout -in '{}' ';' 2>/dev/null | grep -B 1 04608E71E6

or more ambitiously

sudo find /etc -print -exec openssl x509 -serial -noout -in '{}' ';' 2>/dev/null | grep -B 1 04608E71E6

I predict you most likely have an overlapping or duplicative certificate under a slightly different certificate name (like -0000) in /etc/letsencrypt somewhere.


sudo certbot certificates gives me this:

Found the following certs:
  Certificate Name:
    Serial Number: 32d038eba11cabeefb0ce928805cab39d5d
    Key Type: RSA
    Expiry Date: 2023-06-04 06:11:38+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

Do you mean this:

[root@*** letsencrypt]# cd keys
[root@*** keys]# ls
0000_key-certbot.pem  0004_key-certbot.pem  0008_key-certbot.pem  0012_key-certbot.pem  0016_key-certbot.pem  0020_key-certbot.pem  0024_key-certbot.pem
0001_key-certbot.pem  0005_key-certbot.pem  0009_key-certbot.pem  0013_key-certbot.pem  0017_key-certbot.pem  0021_key-certbot.pem
0002_key-certbot.pem  0006_key-certbot.pem  0010_key-certbot.pem  0014_key-certbot.pem  0018_key-certbot.pem  0022_key-certbot.pem
0003_key-certbot.pem  0007_key-certbot.pem  0011_key-certbot.pem  0015_key-certbot.pem  0019_key-certbot.pem  0023_key-certbot.pem

Should I just delete them starting with 0001?

There is no need to delete any of them - that won't fix anything [it will only clear up a little bit of disk space].


Nope, and apparently my first guess was wrong!

I'm pretty confused about what is broken, but maybe you could try the find command that I posted above!


I don't get any results when trying both of your suggested commands, unfortunately.

Should there be a cert1 and a cert 2?


Yes, there should be. (That's the old version and new version.)

Is there any other device involved here that the old certificate might be installed on, like a firewall or proxy server or load balancer?


There might be a pfx file stored somewhere. We had to provide a pfx file to the people where the server is located. Not sure what they did with that file and where it was stored. Will ask. Thanks!

Oooh, yeah, that would be really important. If that file is in use somewhere, it needs to be regenerated and replaced every time the certificate is renewed!

We can write scripts to help with that, but that could explain a lot about the current problems.


OK, finally light at the end of the tunnel! They used that file for a WAF, but didn't tell us to renew the file each time, which of course we newbies didn't think about. So I will create a new pfx and see how that goes.

What is the best way to create a pfx file, btw?

If there would be a script we could use, that would be great.

Thanks for pointing me to the problem!


Problem solved! What a relieve!

Thanks, y'all! This is a very helpful community!


I'm glad it worked!

How do you submit the PFX file to the people maintaining the WAF? By e-mail? With a web form? Is there a way to upload it directly there rather than sending it to other human beings?


I just save it in a temporary folder, and they grab it. I don't know what they then do with the firewall.

Not a big deal to renew the certificate every 90 days and then save that file. Just glad that the problem is solved. :slightly_smiling_face:

1 Like

The Certbot documentation describes the option to use a deploy hook:

  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "") (default: None)

This command would be run automatically by Certbot whenever the certificate is renewed, so you can make it do however much of your new certificate deployment process can be automated (e.g. creating the PFX file using an openssl pkcs12 command, copying it to a specific location, maybe sending an e-mail to someone about it?).

The amount that you can automate with scripting obviously varies a lot in different environments. :slight_smile: