Certbot / Certificate renewal successful, but the site is invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://horange.ru:9998

I ran this command: certbot --apache -d horange.ru -d www.horange.ru

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/horange.ru.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for horange.ru to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Successfully deployed certificate for www.horange.ru to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://horange.ru and https://www.horange.ru

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version):

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.23.0

The problem is, I renew the certificate, but the site is still not available and says that the certificate has expired.

Try adding something like --deploy-hook "systemctl reload apache" to your command.

certbot --apache -d horange.ru -d www.horange.ru --deploy-hook "systemctl reload apache"

this did not solve the problem, and separately I already tried to restart apache2, this did not help either.

are there other files in this directory?

Check for SSLCertificateFile directives in both files (and more):

grep -ir SSLCertificateFile /etc/apache2/

/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/horange.ru/fullchain.pem

It's how it's supposed to be. I can't see the problem.

Maybe try and stop Apache then start it again?

The clock on your server is on the right day, right?

Active: active (running) since Fri 2022-02-18 02:53:59 MSK; 9s ago

the certificate is still expired. if you follow the link.

I can see it. Run certbot certificates and let's see what certbot believes.

It looks good.

And yet Apache is sending an old certificate. I really don't understand this.

I returned the settings to default, but nevertheless, the certificate is expired.

certbot --apache -d horange.ru -d www.horange.ru --deploy-hook "systemctl reload apache"

hmm, I used the command to press 1
Now I pressed 2, I saw errors

.

image744×200 6.29 KB

UPD: added certbot --apache -d horange.ru -d www.horange.ru --deploy-hook "systemctl reload apache2"
number 2 in the command and the errors disappeared, however, the certificate is expired

Don't renew a certificate for no reason.

There's a pretty stringent rate limit on that: 5/week

horange.ru:443 shows this cert:

-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgISBH2KOPLOz8pjGU16NmKOk+MTMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMTcyMzA3NDlaFw0yMjA1MTgyMzA3NDhaMBUxEzARBgNVBAMT
CmhvcmFuZ2UucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0BZrB
5dkBq+NGECaQjWz/37uMtzfcT5jV9APIRRVfZc6Y0eE0Zu7sMB99z40yw641jbgH
7cc58Scr3bpiM/XkW3LSRhoaSyxYagMtTUTBStzDy1hbrk0Pcd86t2/ZAwL3FKoZ
0vrcV9ppONjHIyqOrYhN0NT9OUj0P7h8MlH4zCFTfemk5XtOHeaE7l0f9U4Jid+w
piwUF7rbjEaonK/b36jFTZMGHeYyAfU19JQ7AGwhDEXkjmi26h/V8puE2XeYx+z5
GS0OATnKNfY3D9aAZw9+zdb7cCq3G4gU2NZtgnUVlIv3U01e/d03nBCV59rM/ntu
L1HYiZjbYddddW+9AgMBAAGjggJWMIICUjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FChf2exxm36onsnn3bRWJWtyrR7YMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMCUG
A1UdEQQeMByCCmhvcmFuZ2UucnWCDnd3dy5ob3JhbmdlLnJ1MEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAQcjK
sd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF/CigE+wAABAMARzBFAiAG
YlK0MSg6RLmnIbEqnV+p9p67N7tQd5GF7vFFLs2T6gIhANroiOL6ffwLJNL6/kTB
FEaIJCLanHVXXqpOH2RREiwIAHcARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy
/HD+bUcAAAF/CigFFwAABAMASDBGAiEA4YREE35qVL9BJ2TLpPo/v4KbLhmK/XIU
U2Q09n43ZI0CIQCt8uibv2CknHHDmfpUHBlDc/EOBw0rjdUSsAjfa5PUcDANBgkq
hkiG9w0BAQsFAAOCAQEACQdzakbulaaZCXqBsF+x5sKQ558/j9InZ5kKz5WpItuu
bdGhjrwXxCmV+gYsrYBsWohT4QP5zel2VEWpomHWOhKkOOKi0+QZNNl1Cy1zs5tO
HPb+zRLy0S07fXTvA3gYaV+IVdBV+uxSptjAPww8J7gkuTPYqNscY/5iT2oAnFG/
XG1nvIv1vm8UdI9/79gELaVpFTDFJjvGo5ZWFmjTD8ulFKAJTfRu60myZbCgOnJb
Hy3F32xpX7y3rON9AQLk3tDNjVxQz7850tFAmnPji3/AslxQCfy6yIATU7Crj/o6
0Dmn/QVAfor6Q1mr/1IkpQ0QvA89ry9W2V4tz4+q6A==
-----END CERTIFICATE-----

horange.ru:9998 shows this cert:

-----BEGIN CERTIFICATE-----
MIIFGTCCBAGgAwIBAgISBGb41HDbkIzYeOnwbi7AzUG1MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMjIwOTM3MDRaFw0yMjAxMjAwOTM3MDNaMBUxEzARBgNVBAMT
CmhvcmFuZ2UucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh79Ld
ktnwZzPSVkV9F+7bE3TIwJRlW+mKAD052UuRROor7ip/7MBjy2vth15OoaX6oU19
HFVUqbGH7Onxnuvr8tWwRGauwaiZGHHUv/pPfh2nAUT4RCbn6mbBDvTOdfT9HWv2
4vKEm/VmAWd4CPoeqhx5PLZzbeS713ShcAc2rC8wLibhmyL1sowP5syiSc2SmF1L
0VhbjnNRRZ2VRJOIa+9GUkfVv8e3Hie1FkZdI0Lw7jaV8j+7P3pm52aEDyELeeQu
J4jQlg5H1wi2UPUBKLCyoeHFJRkYRluRMk4IBn4ox00Y6+UJAc5lu5nj+E+QBF91
8hphtXAPYLnwfBc9AgMBAAGjggJEMIICQDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FPPtQqdjL6mMe97EBJH/6JOWReB1MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBUG
A1UdEQQOMAyCCmhvcmFuZ2UucnUwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYB
BAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5v
cmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDfpV6raIJPH2yt7rhfTj5a6s2i
EqRqXo47EsAgRFwqcwAAAXynk1ypAAAEAwBGMEQCIFe9kZby8nDjFqgIPelzuw3+
ubicnRUTiV4zlOY8eWPfAiAqhOReqvCnq6Z5C0BxPnUovOTkqV7dZrNqMPv61mnF
8wB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfKeTXI0AAAQD
AEcwRQIgfNzhBtd4N/HgPpanFpc1J3LmNaSdAgbGbGUGwTb4uv0CIQDJNNZIPEu5
RlQAgVAlfwpxa+wqYKoKtpQdL6w6IIfr4DANBgkqhkiG9w0BAQsFAAOCAQEAN6rb
WEOc+m0h7FZLBNUZJSCr18QTVSGFKRab0SBPfUs5nD2AA9nDFJp9az9u5gjQJeAk
talrIeVTF32VsKvP5k5uUXHhQnrHvFeRGCectcuwE65VV1lpwo7p38/raspR4M83
yvt82oZtISGec+FugnBZ01L8EwEV3Oj6tnhMJOVnTSeaQipxb2AF9y9L8/i6pKjY
uFqMhlrCWmqlkLYyYHIuFs+H374KcKK2d3uuOZLLzrPMvxJ5YOHySw2wbQeZCnqN
PyN15dDesF6IwopoUGDLXJRNzw1whlZv2jIgeO3aDAM70NbZafXE2GGDuprV0p3K
DMIehjJa33QMdpHaoQ==
-----END CERTIFICATE-----

Which one is correct?
What service is running on the other port?

The first matched mine, the second was nowhere to be found.
I don't understand the second question.

By asking a question about the service, you prompted me to answer and solve the problem.
Thanks

UPD:
The solution was to issue a certificate specifically to the page I needed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.