Cert renewing to expired date and storing expired pems when the renewal is successful on crt.sh

I renewed my cert today for staging server, but the pem files were generated to expired date but when I look up my site on crt.sh, it is properly renewed. Now the problem is that I can acquire the public key from the crt.sh but privkey and chain is still set to expired date. Any thoughts?

My domain is: https://staging.edu.buncee.com

I ran this command: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/staging.edu.buncee.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/staging.edu.buncee.com/privkey.pem
    Your cert will expire on 2021-01-03. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

1 Like

Hello @timbuncee,

Second time we see this error today, you can take a look to @griffin solution here just in case it could solve your issue too.

Bassically you should run command:
certbot update_symlinks

And check again with command certbot certificates whether your cert is showing the right date.

If all is ok remember to restart or reload the services using the cert.

Cheers,
sahsanu

4 Likes

Thank you and you were correct, the new certs were in the archive folder under cert2.pem. I used the public cert to find and updated the live version and everything is working!

3 Likes

Great but did you used the update_symlinks parameter or recreated them manually?, I'm asking just to be sure you won't have the same problem next time you want to renew it.

1 Like

I actually discovered it before seeing your post so I did it manually but didn't have issue when I update it 3 months ago. I will check the documentation for update_symlinks and see if I also configured everything correctly on my end.

2 Likes