Cert due for renewal but newly created cert already outdated

Please fill out the fields below so we can help you better.

My domain is: staging.keel.space

I ran this command: certbot certonly --expand --webroot --webroot-path /home/keel/sources/site/klstaging

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): staging.keel.space
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for keel.space
Using the webroot path /home/keel/sources/site/klstaging for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/keel.space/fullchain.pem. Your cert
   will expire on 2017-06-28. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version):

Linux Keel 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:28:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

Date time on server is ok: date outputs: Sat Jul 8 08:25:07 EDT 2017

Thanks !

This is usually because for some reason (perhaps something other than certbot has made some change to the /etc/letsencrypt/ directory), the symbolic links were not correctly updated after the certificate was renewed.

If that’s the case you can fix it by manually updating the links. Look for your latest issued certificate and related files in /etc/letsencrypt/archive/keel.space/ and make sure the symbolic links in /etc/letsencrypt/live/keel.space/ are pointing to them.

Could you post “ls -alR /etc/letsencrypt/{archive,live}”, and “openssl x509 -in /etc/letsencrypt/live/keel.space/fullchain.pem -noout -text”?

ok, looking here I see that there are some symlink related to the main domain symlinking to the staging… I take a look here.

ok so: this is the output :

total 12
drwxr-xr-x 2 root root 4096 Jul  8 08:11 .
drwx------ 5 root root 4096 Jul  8 08:10 ..
-rw-r--r-- 1 root root  543 Mar 30 07:22 README
lrwxrwxrwx 1 root root   49 Jul  8 08:11 cert.pem -> ../../archive/staging.keel.space/cert1.pem
lrwxrwxrwx 1 root root   50 Jul  8 08:11 chain.pem -> ../../archive/staging.keel.space/chain1.pem
lrwxrwxrwx 1 root root   54 Jul  8 08:11 fullchain.pem -> ../../archive/staging.keel.space/fullchain1.pem
lrwxrwxrwx 1 root root   52 Jul  8 08:11 privkey.pem -> ../../archive/staging.keel.space/privkey1.pem

So it appears that there are no staging.keel.space ... not a big surprise as the cert are only generated and uploaded to stackpath. The server does not serve the HTTPS website. But I was expecting to see a folder named staging.keel.space

En enabled website are:

lrwxrwxrwx 1 root root   35 Nov 12  2015 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   52 Sep 30  2016 keel-le-ssl.conf -> /etc/apache2/sites-available/keel-le-ssl.conf
lrwxrwxrwx 1 root root   35 Nov 18  2015 keel.conf -> ../sites-available/keel.conf
lrwxrwxrwx 1 root root   50 Sep 30  2016 klstaging-le-ssl.conf -> /etc/apache2/sites-available/klstaging-le-ssl.conf
lrwxrwxrwx 1 root root   33 Jul  1  2016 klstaging.conf -> ../sites-available/klstaging.conf

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.