Cert renewal not updating to new expiry date

Hi,

Sorry about my lack of knowledge in all things certs.
I’ve been trying to renew a cert that expires in about 15 days. A previous colleague created the cert initially just under 3 months ago. The strange thing is when I try to renew the cert, the expiry date is still the old expiry date 2020-09-24 when I need it to renew completely to a date 3 months later.

On another note i did try certbot-auto renew which didn’t work so I used the command listed below instead to try renewing.

My domain is: devbankamp.com.au

I ran this command: /usr/local/bin/certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns-01 --agree-tos -d *.devbankamp.com.au -d devbankamp.com.au

It produced this output: Only have output in a screenshot now sadly. In summary,
Cert due for renewal, renewing an existing cert. Congratulations, key file saved at devbankamp.com.au/privkey.pem. Cert will expire on 2020-09-24…

My web server is (include version):

The operating system my web server runs on is (include version): Redhat 7

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.7.0

All help appreciated, thanks so much.

Cheers,
Jason

1 Like

I don’t think this is right. If the certificate is issued today that date is supposed to be 90 days later.

What’s the output of command sudo certbot certificates?
@griffin Thanks

Thank you

2 Likes

Probably an error in this case. :wink: Now the output of the following command on the other hand may help:

sudo /usr/local/bin/certbot-auto certificates

Thanks @rg305 for pointing out my lack of detail. :slightly_smiling_face:

2 Likes

According to https://crt.sh/?q=devbankamp.com.au, there have been 6 certificates issued since then. They come in pairs (precertificate and certificate) of you’re wondering why there appear to be 12. I noticed that you used certonly. Based on the message you “success” received with the old certificate date, I am suspecting that either:

  • there are missing/broken/outdated symlinks so your old certificate is “stuck”
  • the permissions are wrong and your new private key and certificate could not actually be written

I’m assuming that the output you’ve posted is live and not from an old log entry…

@stevenzhu

By the by, brother, your own server (stevenz.net) is throwing a 403. :thinking:

Yup. It’s intended.
Oh wait, it’s a 403 with hidden contents.

2 Likes

Ah. :slightly_smiling_face: It’s always my favorite thing (massive sarcasm) when default error pages provided by hosting services result in a 200 for an error page being served.

@stevenzhu

I’m only getting the 403 with a sniffer. I’m assuming there’s something I’m missing.

2 Likes

I would like to point out:
certonly
--manual
--preferred-challenges dns-01 | -d *.devbankamp.com.au

Skipping over the manual wildcard/DNS auth request… (for now)
If the cert was renewed, then the web server just needs to be reloaded/restarted.
So was the cert actually renewed?

Care to share that screenshot?

That sounds like it just “reapplied” the current cert - not actually renewed anything.

1 Like

I suspected similar @rg305. There have already been 6 new certificates issued since that date though.

Then something has gone terribly wrong.

1 Like

I concur. I threw out a couple of suspicions, but without more details I’m not sure.

Possibly also an error (or command not found) - LOL

So maybe:
sudo /usr/local/bin/certbot-auto certificates

1 Like

Doh :laughing: You got me on that one.

@snoople

Please use the command from @rg305:

3 Likes

@stevenzhu

So, @rg305 got us both. :upside_down_face:

1 Like

4 eyes are better than 2
and
6 are better than 4 :slight_smile:

3 Likes

@snoople

Welcome to the Let’s Encrypt Community :slightly_smiling_face:

Larry, Moe, and Curly here. Between the three of us you’re sure to laugh your way to security.

1 Like

Hey guys,

sorry was just grabbing lunch and all. I may have broken some symlinks somehow in the past. And i’ve had quite a few attempts at renewing which might explain the many certs flying around. To give some more context, i generate the certs on this server then apply it on many other windows servers.

Haha loving the banter here though :stuck_out_tongue:

[root@ip-10-162-30-120 bnk_admin]# sudo /usr/local/bin/certbot-auto certificates
WARNING: unable to check for updates.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/devbankamp.com.au-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/devbankamp.com.au-0001/cert.pem to be a symlink. Skipping.
OCSP check failed for /etc/letsencrypt/live/devbankamp.com.au/cert.pem (are we offline?)
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/ocsp.py”, line 188, in _check_ocsp_cryptography
timeout=timeout)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py”, line 119, in post
return request(‘post’, url, data=data, json=json, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py”, line 61, in request
return session.request(method=method, url=url, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py”, line 530, in request
resp = self.send(prep, **send_kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py”, line 643, in send
r = adapter.send(request, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/adapters.py”, line 504, in send
raise ConnectTimeout(e, request=request)
ConnectTimeout: HTTPConnectionPool(host=‘ocsp.int-x3.letsencrypt.org’, port=80): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7ff716966350>, ‘Connection to ocsp.int-x3.letsencrypt.org timed out. (connect timeout=10)’))


Found the following certs:
Certificate Name: devbankamp.com.au
Serial Number: 3290486b96d1d26172e0f3bee47da1e6610
Domains: *.devbankamp.com.au devbankamp.com.au
Expiry Date: 2020-09-24 02:45:32+00:00 (VALID: 15 days)
Certificate Path: /etc/letsencrypt/live/devbankamp.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/devbankamp.com.au/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/devbankamp.com.au-0001.conf


2 Likes

First off, always test using --dry-run so you don’t hit the rate limits by accident. :wink:

3 Likes

? ? ?
We’re gold old friends :slight_smile:

1 Like

ban·ter

(băn′tər)

n.

Good-humored, playful, or teasing conversation.

2 Likes