My SSL certificates renewed and according the my litespeed server log, the server restarted but browsers don't pick up the new certificate.
If I manually restart the server on the command line then browsers pick up the new certificates. However, this has been going on for almost a year now and I can't SSH into the server every two months to manually restart it.
How can I make this work?
This is the 3rd thread I've made on this topic. Unfortunately, I never know if things are working until two months after I've made a change and the new certificate is issued, so this has been a very slow process.
For info on my server, versions, commands, please refer to the previous threads:
1st thread - I thought things were solved but turns out not to be so.
You can test the renewal deployment hook using the following command. Warning: the command above and the following command will each acquire a new certificate. You are limited to acquiring 5 new certificates in any 7-day period.
sudo certbot renew --force-renewal
Your crontab at that point should only be running:
Thank you for the detailed response! I will try what you recommended.
I'm just curious though, why it's not working currently? As far as I can tell the certificate renews exactly when expected and the server restarts. So why are the browsers not picking up the new certificate?
Turns out this directory /usr/local/lsws/vestasit.com/html doesn't exist. There's no directory with my domain name inside usr/local/lsws/. May I ask what is supposed to be in there?
That was my assumption of the webroot directory of your website based on the standard documentation. Substitute the proper webroot directory accordingly.
I used that path and the certificated did renew and was picked up by browsers. I will check again in two months to see if the browsers pick up the next renewal without issue.
Just writing to keep this thread open for another 30 days so that I can let the community know if the above solution worked. Need to wait for the auto renewal to run again,
The SSL cert is now less than 30 days from expiring and this time it has not renewed.
Here is the output from certbot certificates:
Found the following certs:
Certificate Name: vestasit.com
Domains: vestasit.comwww.vestasit.com
Expiry Date: 2021-03-20 20:37:18+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/vestasit.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vestasit.com/privkey.pem
To recap, previously my cert was renewing and the server was restarting but the changes were not being picked up by browsers. Now, the cert is not renewing.
I did a dry run as I don't want to renew the certificate until I make another attempt to fix this. Every time I think I've found the solution I have to wait 2 months to see if it actually worked. So if I renew the certificate with sudo certbot renew then I'll have to wait 2 months to see if any changes I make work. Therefore I used the following command:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vestasit.com
http-01 challenge for www.vestasit.com
Cleaning up challenges
Attempting to renew cert (vestasit.com) from /etc/letsencrypt/renewal/vestasit.com.conf produced an unexpected erro
r: Missing command line flag or config entry for this setting:
Input the webroot for vestasit.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vestasit.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vestasit.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
VERY INTERESTING. I've never received an error before. Looks like I have the wrong webroot? But I have no idea how or what I need to change.
My webroot, I'm fairly certain, is in /var/www/html which is what appears in my certificat renewal config file.
Here is the content of /etc/letsencrypt/renewal/vestasit.com.conf :
Your configuration file seems to be missing the webroot path or it's malfunctioning. Renew does not allow interactive input, so it skipped letting you enter the webroot path.
