Cert renewed but browser still shows old

My domain is: kitese.duckdns.org

I ran this command: sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook /home/pi/https/auth.sh --manual-cleanup-hook /home/pi/https/cleanup.sh

It produced this output:

My web server is (include version): Node/Express

The operating system my web server runs on is (include version): Raspberry Pi with Debian Stretch

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

I’m running a tiny Node / Express script that’s fetching privkey, cert and fullchain from /etc/letsencrypt/live/kitese.duckdns.org/ to display a web cam feed over https.
It’s been working great but now my cert needs to be renewed and after running the script above I got

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for kitese.duckdns.org

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/kitese.duckdns.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/kitese.duckdns.org/privkey.pem
Your cert will expire on 2020-02-23.

Those files are pointing to fullchain2.pem etc in /archive and it all looks correct to me:

pi@raspberrypi:/etc/letsencrypt/archive/kitese.duckdns.org $ ls -l
total 32
-rw-r–r-- 1 root root 1919 Sep 6 18:52 cert1.pem
-rw-r–r-- 1 root root 1919 Nov 25 17:38 cert2.pem
-rw-r–r-- 1 root root 1647 Sep 6 18:52 chain1.pem
-rw-r–r-- 1 root root 1647 Nov 25 17:38 chain2.pem
-rw-r–r-- 1 root root 3566 Sep 6 18:52 fullchain1.pem
-rw-r–r-- 1 root root 3566 Nov 25 17:38 fullchain2.pem
-rwxr-xr-x 1 root nodecert 1704 Sep 6 18:52 privkey1.pem
-rw-r–r-- 1 root root 1704 Nov 25 17:38 privkey2.pem

pi@raspberrypi:/etc/letsencrypt/live/kitese.duckdns.org $ ls -l
total 4
-rwxr-xr-x 1 root root 692 Sep 6 18:52 README
lrwxrwxrwx 1 root root 42 Nov 25 17:38 cert.pem -> …/…/archive/kitese.duckdns.org/cert2.pem
lrwxrwxrwx 1 root root 43 Nov 25 17:38 chain.pem -> …/…/archive/kitese.duckdns.org/chain2.pem
lrwxrwxrwx 1 root root 47 Nov 25 17:38 fullchain.pem -> …/…/archive/kitese.duckdns.org/fullchain2.pem
lrwxrwxrwx 1 root root 45 Nov 25 17:38 privkey.pem -> …/…/archive/kitese.duckdns.org/privkey2.pem

However, when checking the cert in Chrome or Safari, it still says that my cert is expiring on Dec 5th (old exp date). Cert checkers like https://www.sslshopper.com/ssl-checker.html#hostname=kitese.duckdns.org also shows the old exp date.

I’ve restarted (and stop/started) the server script multiple times, still no difference.

Why is the old expiry date still showing up everywhere?

And also, how do I create a script for this to auto-renew when getting close to the expiry?

1 Like

Hi @mtno

there are two checks of your domain - https://check-your-website.server-daten.de/?q=kitese.duckdns.org - your main domain and port 8080.

Port 8080 is checked, because it's used via Speedtest.

But: Your port 443 has the old certificate:

CN=kitese.duckdns.org
	06.09.2019
	05.12.2019
expires in 10 days	kitese.duckdns.org - 1 entry

Your port 8080 has the new:

CN=kitese.duckdns.org
	25.11.2019
	23.02.2020
expires in 90 days	kitese.duckdns.org - 1 entry

Your port 443 main domain check has a nginx and a "Bad Gateway".

Your port 8080 has the Express.

Looks like your nginx has the wrong certificate.

What says

nginx -T
1 Like

Thanks @JuergenAuer, thats a great find! I forgot that I’m running nginx to handle 443. I just restarted that server and now Chrome is detecting the new cert!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.