Certbot renew does not detect the expiration of some certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: natom.com.ar (its an example from today, I have been running certbot renew once a day but it has not renewed that cert, I have a dedicated server, so it is something that happens with various certificates)

I ran this command: certbot renew

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ferozo 3

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11

certbot renew does not detect the expiration of some certificates

Hello there. How are you? Something strange is happening with my certificates. When I run certbot renew some, but not all expired certificates are renewed. Then I renew them and certbot tells me that the certificate has not expired, but it has expired (I attach screenshot). The fact is that the certificate is expired. What could it be due to? Because it happens to me every day with one or two certificates.

Thank you for your answer

It sounds like certbot doesn't know that it's supposed to restart whatever service is using the certificate(s) in question.

1 Like

hi danb35, thanks for your reply. What should I do to let certbot know?

1 Like

@curchunflo Your site is serving a fresh certificate that was created Oct 20:

See: https://decoder.link/sslchecker/natom.com.ar/443

I am not familiar with the screen shot you show. I cannot explain that. I only know your server is sending a good cert.

1 Like

Hi MikeMcQ, yes, now it is running a good cert, I did it manually, the problem is that certbot renew doesnt work with some certificates, it just doesnt 'see' that the cert has expired. The screenshot is before to renew the cert manually.

1 Like

@curchunflo Can you upload /var/log/letsencrypt/letsencrypt.log for a renewal that has some failures? The logs in that folder roll over so choose one that shows the failure.


It does not give an error. Certbot just doesn't detect the certificate as expired, so it doesn't try to renew it.
It's strange, in the log it says that it expires in 2022 ...
cat /var/log/letsencrypt/letsencrypt.log | grep natom.com.ar
2021-10-20 14: 04: 50,275: DEBUG: certbot.display.util: Notifying user: Processing /etc/letsencrypt/renewal/natom.com.ar.conf
2021-10-20 14: 04: 50,327: DEBUG: certbot.ocsp: Consulting OCSP for /etc/letsencrypt/archive/natom.com.ar/cert3.pem
2021-10-20 14: 04: 50,328: DEBUG: certbot.ocsp: openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/natom.com.ar/chain3.pem -cert / etc / letsencrypt / archive / natom. com.ar/cert3.pem -CAfile /etc/letsencrypt/archive/natom.com.ar/chain3.pem -verify_other /etc/letsencrypt/archive/natom.com.ar/chain3.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org
/etc/letsencrypt/live/natom.com.ar/fullchain.pem expires 2022-01-18 (omitted)

The one you manually created today does expire on Jan18 2022. Can you look at a log from this morning or yesterday for when you think it should have detected expiration but did not? You should have a series of log files in the /var/log/letsencrypt folder


If certbot doesn't try to renew a cert, that's because certbot already has a newly fresh renewed certificate available.

However, even when certbot has a perfectly new fine certificate available, that doesn't mean your webserver knows that.

So the issue here is not with certbot, but with the webserver not being reloaded to load the newly renewed certificate.

If you look at your certificate history at crt.sh | natom.com.ar you can see that on 2021-09-12 you have renewed your certificate, 30 days before the previous certificate expires. That's in line with perfect certbot behaviour. It was valid until 2021-12-11.. Now you've issued a duplicate certificate valid until 2022-01-18, which was not necessary at all.

Please understand that certbot and your webserver are two different things entirely and depending on how you've set certbot up, you need to manually reload your webserver to make it "see" the renewed certificate. Preferably this would have been done by using a webserver plugin in certbot itself or with aid of a --deploy-hook. But in the absence of those, you need to do it manually. And that's not an issue with certbot itself, but how you've set certbot up.


As mentioned by @Osiris, the problem is the other way around:
certbot renews on time, but the web server doesn't switch to the newly issued cert.


thank you very much! NowI know what's wrong, regards!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.