Browsers not picking up new SSL certificate

Help
21 
total 120
drwxr-xr-x   9 root         root          4096 Feb 21 17:16 .
drwxr-xr-x 106 root         root          4096 Feb 21 17:01 ..
drwx------   4 root         root          4096 Apr 13  2020 accounts
drwx------   3 root         root          4096 Feb 12  2020 archive
-rwxrwxr-x   1 kbaistrocchi kbaistrocchi 79897 Jun  6  2020 certbot-auto
-rw-r--r--   1 root         root           121 Feb 10  2019 cli.ini
drwxr-xr-x   2 root         root          4096 Feb 21 05:14 csr
drwx------   2 root         root          4096 Feb 21 05:14 keys
drwx------   3 root         root          4096 Feb 12  2020 live
drwxr-xr-x   2 root         root          4096 Dec 20 21:37 renewal
drwxr-xr-x   5 root         root          4096 Jan 29  2020 renewal-hooks
/etc/letsencrypt/accounts:
total 16
drwx------ 4 root root 4096 Apr 13  2020 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
drwx------ 3 root root 4096 Apr 13  2020 acme-staging-v02.api.letsencrypt.org
drwx------ 3 root root 4096 Feb 12  2020 acme-v02.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Apr 13  2020 .
drwx------ 4 root root 4096 Apr 13  2020 ..
drwx------ 3 root root 4096 Apr 13  2020 directory
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Apr 13  2020 .
drwx------ 3 root root 4096 Apr 13  2020 ..
drwx------ 2 root root 4096 Apr 13  2020 d916e62ed3a3f75e3c4177fe2a4f1294
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/d916e62ed3a3f75e3c4177fe2a4f1294:
total 20
drwx------ 2 root root 4096 Apr 13  2020 .
drwx------ 3 root root 4096 Apr 13  2020 ..
-rw-r--r-- 1 root root   69 Apr 13  2020 meta.json
-r-------- 1 root root 1632 Apr 13  2020 private_key.json
-rw-r--r-- 1 root root   86 Apr 13  2020 regr.json
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Feb 12  2020 .
drwx------ 4 root root 4096 Apr 13  2020 ..
drwx------ 3 root root 4096 Feb 12  2020 directory
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Feb 12  2020 .
drwx------ 3 root root 4096 Feb 12  2020 ..
drwx------ 2 root root 4096 Feb 12  2020 1812750b834e59f2737f09ac1728fe0d
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/1812750b834e59f2737f09ac1728fe0d:
total 20
drwx------ 2 root root 4096 Feb 12  2020 .
drwx------ 3 root root 4096 Feb 12  2020 ..
-rw-r--r-- 1 root root   69 Feb 12  2020 meta.json
-r-------- 1 root root 1632 Feb 12  2020 private_key.json
-rw-r--r-- 1 root root   78 Feb 12  2020 regr.json
/etc/letsencrypt/archive:
total 12
drwx------ 3 root root 4096 Feb 12  2020 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
drwxr-xr-x 2 root root 4096 Dec 20 21:37 vestasit.com

etc/letsencrypt/archive/vestasit.com:
total 152
drwxr-xr-x 2 root root 4096 Dec 20 21:37 .
drwx------ 3 root root 4096 Feb 12  2020 ..
-rw-r--r-- 1 root root 1903 Feb 12  2020 cert1.pem
-rw-r--r-- 1 root root 1931 Feb 12  2020 cert2.pem
-rw-r--r-- 1 root root 1927 Apr 18  2020 cert3.pem
-rw-r--r-- 1 root root 1927 Apr 19  2020 cert4.pem
-rw-r--r-- 1 root root 1927 Jun 19  2020 cert5.pem
-rw-r--r-- 1 root root 1927 Aug 18  2020 cert6.pem
-rw-r--r-- 1 root root 1927 Oct 17 08:44 cert7.pem
-rw-r--r-- 1 root root 1858 Dec 16 10:09 cert8.pem
-rw-r--r-- 1 root root 1858 Dec 20 21:37 cert9.pem
-rw-r--r-- 1 root root 1647 Feb 12  2020 chain1.pem
-rw-r--r-- 1 root root 1647 Feb 12  2020 chain2.pem
-rw-r--r-- 1 root root 1647 Apr 18  2020 chain3.pem
-rw-r--r-- 1 root root 1647 Apr 19  2020 chain4.pem
-rw-r--r-- 1 root root 1647 Jun 19  2020 chain5.pem
-rw-r--r-- 1 root root 1647 Aug 18  2020 chain6.pem
-rw-r--r-- 1 root root 1647 Oct 17 08:44 chain7.pem
-rw-r--r-- 1 root root 1586 Dec 16 10:09 chain8.pem
-rw-r--r-- 1 root root 1586 Dec 20 21:37 chain9.pem
-rw-r--r-- 1 root root 3550 Feb 12  2020 fullchain1.pem
-rw-r--r-- 1 root root 3578 Feb 12  2020 fullchain2.pem
-rw-r--r-- 1 root root 3574 Apr 18  2020 fullchain3.pem
-rw-r--r-- 1 root root 3574 Apr 19  2020 fullchain4.pem
-rw-r--r-- 1 root root 3574 Jun 19  2020 fullchain5.pem
-rw-r--r-- 1 root root 3574 Aug 18  2020 fullchain6.pem
-rw-r--r-- 1 root root 3574 Oct 17 08:44 fullchain7.pem
-rw-r--r-- 1 root root 3444 Dec 16 10:09 fullchain8.pem
-rw-r--r-- 1 root root 3444 Dec 20 21:37 fullchain9.pem
-rw------- 1 root root 1708 Feb 12  2020 privkey1.pem
-rw------- 1 root root 1704 Feb 12  2020 privkey2.pem
-rw------- 1 root root 1708 Apr 18  2020 privkey3.pem
-rw------- 1 root root 1708 Apr 19  2020 privkey4.pem
-rw------- 1 root root 1704 Jun 19  2020 privkey5.pem
-rw------- 1 root root 1704 Aug 18  2020 privkey6.pem
-rw------- 1 root root 1704 Oct 17 08:44 privkey7.pem
-rw------- 1 root root 1704 Dec 16 10:09 privkey8.pem
-rw------- 1 root root 1704 Dec 20 21:37 privkey9.pem

/etc/letsencrypt/csr:
total 104
drwxr-xr-x 2 root root 4096 Feb 21 05:14 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
-rw-r--r-- 1 root root  920 Feb 12  2020 0000_csr-certbot.pem
-rw-r--r-- 1 root root  944 Feb 12  2020 0001_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 13  2020 0002_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 13  2020 0003_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 14  2020 0004_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 14  2020 0005_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 15  2020 0006_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 15  2020 0007_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 16  2020 0008_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 16  2020 0009_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 17  2020 0010_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 17  2020 0011_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 18  2020 0012_csr-certbot.pem
-rw-r--r-- 1 root root  944 Apr 19  2020 0013_csr-certbot.pem
-rw-r--r-- 1 root root  944 Jun 19  2020 0014_csr-certbot.pem
-rw-r--r-- 1 root root  944 Aug 18  2020 0015_csr-certbot.pem
-rw-r--r-- 1 root root  944 Oct 17 08:44 0016_csr-certbot.pem
-rw-r--r-- 1 root root  944 Dec 16 10:09 0017_csr-certbot.pem
-rw-r--r-- 1 root root  944 Dec 20 21:37 0018_csr-certbot.pem
-rw-r--r-- 1 root root  944 Feb 19 04:19 0019_csr-certbot.pem
-rw-r--r-- 1 root root  944 Feb 19 15:56 0020_csr-certbot.pem
-rw-r--r-- 1 root root  944 Feb 20 03:16 0021_csr-certbot.pem
-rw-r--r-- 1 root root  944 Feb 20 23:00 0022_csr-certbot.pem
-rw-r--r-- 1 root root  944 Feb 21 05:14 0023_csr-certbot.pem

/etc/letsencrypt/keys:
total 104
drwx------ 2 root root 4096 Feb 21 05:14 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
-rw------- 1 root root 1708 Feb 12  2020 0000_key-certbot.pem
-rw------- 1 root root 1704 Feb 12  2020 0001_key-certbot.pem
-rw------- 1 root root 1704 Apr 13  2020 0002_key-certbot.pem
-rw------- 1 root root 1708 Apr 13  2020 0003_key-certbot.pem
-rw------- 1 root root 1704 Apr 14  2020 0004_key-certbot.pem
-rw------- 1 root root 1704 Apr 14  2020 0005_key-certbot.pem
-rw------- 1 root root 1704 Apr 15  2020 0006_key-certbot.pem
-rw------- 1 root root 1708 Apr 15  2020 0007_key-certbot.pem
-rw------- 1 root root 1704 Apr 16  2020 0008_key-certbot.pem
-rw------- 1 root root 1708 Apr 16  2020 0009_key-certbot.pem
-rw------- 1 root root 1708 Apr 17  2020 0010_key-certbot.pem
-rw------- 1 root root 1704 Apr 17  2020 0011_key-certbot.pem
-rw------- 1 root root 1708 Apr 18  2020 0012_key-certbot.pem
-rw------- 1 root root 1708 Apr 19  2020 0013_key-certbot.pem
-rw------- 1 root root 1704 Jun 19  2020 0014_key-certbot.pem
-rw------- 1 root root 1704 Aug 18  2020 0015_key-certbot.pem
-rw------- 1 root root 1704 Oct 17 08:44 0016_key-certbot.pem
-rw------- 1 root root 1704 Dec 16 10:09 0017_key-certbot.pem
-rw------- 1 root root 1704 Dec 20 21:37 0018_key-certbot.pem
-rw------- 1 root root 1704 Feb 19 04:19 0019_key-certbot.pem
-rw------- 1 root root 1704 Feb 19 15:56 0020_key-certbot.pem
-rw------- 1 root root 1700 Feb 20 03:16 0021_key-certbot.pem
-rw------- 1 root root 1704 Feb 20 23:00 0022_key-certbot.pem
-rw------- 1 root root 1704 Feb 21 05:14 0023_key-certbot.pem

/etc/letsencrypt/live:
total 16
drwx------ 3 root root 4096 Feb 12  2020 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
-rw-r--r-- 1 root root  740 Feb 12  2020 README
drwxr-xr-x 2 root root 4096 Dec 20 21:37 vestasit.com
/etc/letsencrypt/live/vestasit.com:
total 12
drwxr-xr-x 2 root root 4096 Dec 20 21:37 .
drwx------ 3 root root 4096 Feb 12  2020 ..
-rw-r--r-- 1 root root  692 Feb 12  2020 README
lrwxrwxrwx 1 root root   36 Dec 20 21:37 cert.pem -> ../../archive/vestasit.com/cert9.pem
lrwxrwxrwx 1 root root   37 Dec 20 21:37 chain.pem -> ../../archive/vestasit.com/chain9.pem
lrwxrwxrwx 1 root root   41 Dec 20 21:37 fullchain.pem -> ../../archive/vestasit.com/fullchain9.pem
lrwxrwxrwx 1 root root   39 Dec 20 21:37 privkey.pem -> ../../archive/vestasit.com/privkey9.pem
/etc/letsencrypt/renewal:
total 12
drwxr-xr-x 2 root root 4096 Dec 20 21:37 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
-rw-r--r-- 1 root root  596 Dec 20 21:37 vestasit.com.conf
/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x 5 root root 4096 Jan 29  2020 .
drwxr-xr-x 9 root root 4096 Feb 21 17:16 ..
drwxr-xr-x 2 root root 4096 Jan 29  2020 deploy
drwxr-xr-x 2 root root 4096 Jan 29  2020 post
drwxr-xr-x 2 root root 4096 Jan 29  2020 pre
/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 Jan 29  2020 .
drwxr-xr-x 5 root root 4096 Jan 29  2020 ..
/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 Jan 29  2020 .
drwxr-xr-x 5 root root 4096 Jan 29  2020 ..
/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 Jan 29  2020 .
drwxr-xr-x 5 root root 4096 Jan 29  2020 ..
2 Likes
22

Is it possible that I'm just missing the '/' at the end of the webroot path?

webroot_path = /var/www/html,

2 Likes
23

Shouldn't matter. Certbot wasn't even seeing the webroot path for some reason.

3 Likes
24

Your files appear fine. Strange indeed. Let's test another way...

sudo certbot certonly --webroot -w /var/www/html -d "vestasit.com,www.vestasit.com" --deploy-hook "/usr/local/lsws/bin/lswsctrl reload" --dry-run

3 Likes
25

Could this error be due to the bug mentioned in Certbot drops webroot options from renewal configuration file · Issue #7048 · certbot/certbot · GitHub ?

The bug does mention authz reuse, which might be the previous time you strugled with certbot earlier in this thread.

I think it's because it's missing the webroot_map entries.

3 Likes
26

vestasit.com" --deploy-hook "/usr/local/lsws/bin/lswsctrl reload" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vestasit.com
http-01 challenge for www.vestasit.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

An unexpected error occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
six.raise_from(e, None)
File "", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 383, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.6/http/client.py", line 1373, in getresponse
response.begin()
File "/usr/lib/python3.6/http/client.py", line 311, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.6/http/client.py", line 272, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib/python3.6/socket.py", line 586, in readinto
return self._sock.recv_into(b)
File "/usr/lib/python3.6/ssl.py", line 1012, in recv_into
return self.read(nbytes, buffer)
File "/usr/lib/python3.6/ssl.py", line 874, in read
return self._sslobj.read(len, buffer)
File "/usr/lib/python3.6/ssl.py", line 631, in read
v = self._sslobj.read(len, buffer)
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 367, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 389, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=read_timeout)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 309, in _raise_timeout
raise ReadTimeoutError(self, url, "Read timed out. (read timeout=%s)" % timeout_value)
urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Re
ad timed out. (read timeout=45)
During handling of the above exception, another exception occurred:
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Read t
imed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

2 Likes
27

Doh...

I've just posted an inquiry for that error:

3 Likes
28

I was just reading another thread about adding a webroot_map but I'm not sure how to go about doing that.

I was looking at this thread: Auto renewal started failing with error - Missing command line flag or config entry for this setting

I don't know a lot about this stuff so I'm reluctant to start messing around in case I break something.

2 Likes
29

Just hold tight for now. I want to see the error you just got addressed first.

3 Likes
30

Hm, I've replicated your renewal configuration file and my certbot 1.11.0 is handeling that nicely. Although it seems to hang at "Waiting for verification", as staging is down for me.. now :stuck_out_tongue:

In any case, the missing webroot_map is with my version not an issue, as it still has the default webroot_path, which is used.

2 Likes
31

Is it down, again? :astonished:

2 Likes
32

I'm getting a read timeout from staging, yes.

3 Likes
33

In the meantime...
Can we have a look at the output of?:
apachectl -S

2 Likes
34

Staging server flakiness has been addressed by the Let's Encrypt staff. Please try this again when you can and report back to us:

sudo certbot certonly --webroot -w /var/www/html -d "vestasit.com,www.vestasit.com" --deploy-hook "/usr/local/lsws/bin/lswsctrl reload" --dry-run

2 Likes
35

input:
apachectl -S

output:
Command 'apachectl' not found, but can be installed with:
apt install apache2
Please ask your administrator.

2 Likes
36

input:
sudo certbot certonly --webroot -w /var/www/html -d "vestasit.com,www.vestasit.com" --deploy-hook "/usr/local/lsws/bin/lswsctrl reload" --dry-run

output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Dry run: skipping deploy hook command: /usr/local/lsws/bin/lswsctrl reload
IMPORTANT NOTES:

  • The dry run was successful.
3 Likes
37

It seems that LiteSpeed is not Apache - LOL

Now that the --dry-run worked, just remove "--dry-run" from that last command and get a real cert.

3 Likes
38

But shouldn't it be doing this automatically? I thought it was checking twice a day to see if certificates were within 30 days of expiration and if so they would auto-renew. Why is it not renewing automatically?

2 Likes
39

Did the renewal look like this?:

[probably not (exactly)]

If you can renew it now that way, it will remember those details for the next renewal.

2 Likes
40

So please try:

[and show the resulting output]

2 Likes