Certbot reports renewal OK but Browser reports old cert still in use


#1

After certbot renewal the inode-symlinks in the …/live/server directory are date-stamped correctly but they still point to the earlier expired certs in the …/archive/server directory. I have run the renewal a further two times and they still point to the old files. There are new certificates in the archive directory so they are being produced but the simlinks are not being updated for some reason

Any suggestions please.


#2

What’s your domain name?

What’s the output of “sudo certbot certificates” and “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”?

Don’t issue too many extra certificates – there are rate limits.


#3

Domain name: wikispooks.com


#4

-sh-4.2$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/wikispooks.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/wikispooks.com-0001/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: wikispooks.com
Domains: wikispooks.com
Expiry Date: 2018-11-15 14:26:01+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/wikispooks.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wikispooks.com/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/wikispooks.com-0001.conf

I have temporarily pointed the server at the latest cert files in the archive directory to fix the problem for site users


#5

Hi @sabretache

I see a valide certificate, created today.

Looks like a caching problem.


#6

-sh-4.2$ sudo ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 16
drwx------ 4 root root 4096 May 27 15:33 .
drwxr-xr-x 9 root root 4096 Nov 17 22:19 …
drwxr-xr-x 2 root root 4096 Nov 9 11:34 wikispooks.com
drwxr-xr-x 2 root root 4096 Aug 17 16:24 wikispooks.com-0001

/etc/letsencrypt/archive/wikispooks.com:
total 56
drwxr-xr-x 2 root root 4096 Nov 9 11:34 .
drwx------ 4 root root 4096 May 27 15:33 …
-rw-r–r-- 1 root root 1822 Mar 1 2018 cert1.pem
-rw-r–r-- 1 root root 2183 Jun 1 20:04 cert2.pem
-rw-r–r-- 1 root root 1907 Nov 17 20:35 cert3.pem
-rw-r–r-- 1 root root 1647 Mar 1 2018 chain1.pem
-rw-r–r-- 1 root root 1647 Jun 1 20:04 chain2.pem
-rw-r–r-- 1 root root 1647 Nov 17 20:35 chain3.pem
-rw-r–r-- 1 root root 3469 Mar 1 2018 fullchain1.pem
-rw-r–r-- 1 root root 3830 Jun 1 20:04 fullchain2.pem
-rw-r–r-- 1 root root 3554 Nov 17 20:35 fullchain3.pem
-rw-r–r-- 1 root root 1704 Mar 1 2018 privkey1.pem
-rw-r–r-- 1 root root 1708 Jun 1 20:04 privkey2.pem
-rw-r–r-- 1 root root 1704 Nov 17 20:35 privkey3.pem

/etc/letsencrypt/archive/wikispooks.com-0001:
total 40
drwxr-xr-x 2 root root 4096 Aug 17 16:24 .
drwx------ 4 root root 4096 May 27 15:33 …
-rw-r–r-- 1 root root 2151 May 27 15:33 cert1.pem
-rw-r–r-- 1 root root 2151 Aug 17 16:24 cert2.pem
-rw-r–r-- 1 root root 1647 May 27 15:33 chain1.pem
-rw-r–r-- 1 root root 1647 Aug 17 16:24 chain2.pem
-rw-r–r-- 1 root root 3798 May 27 15:33 fullchain1.pem
-rw-r–r-- 1 root root 3798 Aug 17 16:24 fullchain2.pem
-rw-r–r-- 1 root root 1704 May 27 15:33 privkey1.pem
-rw-r–r-- 1 root root 1704 Aug 17 16:24 privkey2.pem

/etc/letsencrypt/live:
total 16
drwx------ 4 root root 4096 Aug 17 16:28 .
drwxr-xr-x 9 root root 4096 Nov 17 22:19 …
drwxr-xr-x 2 root root 4096 Nov 17 20:35 wikispooks.com
drwxr-xr-x 2 root root 4096 Jun 1 20:04 wikispooks.com.last

/etc/letsencrypt/live/wikispooks.com:
total 12
drwxr-xr-x 2 root root 4096 Nov 17 20:35 .
drwx------ 4 root root 4096 Aug 17 16:28 …
lrwxrwxrwx 1 root root 43 Nov 17 20:35 cert.pem -> …/…/archive/wikispooks.com-0001/cert2.pem
lrwxrwxrwx 1 root root 44 Nov 17 20:35 chain.pem -> …/…/archive/wikispooks.com-0001/chain2.pem
lrwxrwxrwx 1 root root 48 Nov 17 20:35 fullchain.pem -> …/…/archive/wikispooks.com-0001/fullchain2.pem
lrwxrwxrwx 1 root root 46 Nov 17 20:35 privkey.pem -> …/…/archive/wikispooks.com-0001/privkey2.pem
-rw-r–r-- 1 root root 682 May 27 15:33 README

/etc/letsencrypt/live/wikispooks.com.last:
total 12
drwxr-xr-x 2 root root 4096 Jun 1 20:04 .
drwx------ 4 root root 4096 Aug 17 16:28 …
lrwxrwxrwx 1 root root 38 Jun 1 20:04 cert.pem -> …/…/archive/wikispooks.com/cert2.pem
lrwxrwxrwx 1 root root 39 Jun 1 20:04 chain.pem -> …/…/archive/wikispooks.com/chain2.pem
lrwxrwxrwx 1 root root 43 Jun 1 20:04 fullchain.pem -> …/…/archive/wikispooks.com/fullchain2.pem
lrwxrwxrwx 1 root root 41 Jun 1 20:04 privkey.pem -> …/…/archive/wikispooks.com/privkey2.pem
-rw-r–r-- 1 root root 543 Mar 1 2018 README

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Nov 17 20:35 .
drwxr-xr-x 9 root root 4096 Nov 17 22:19 …
-rw-r–r-- 1 root root 554 Aug 17 16:24 wikispooks.com-0001.conf
-rw-r–r-- 1 root root 529 Nov 17 20:35 wikispooks.com.conf
-sh-4.2$


#7

Thanks. But that’s because I have pointed the server at the new valid cert in the archive directory rather than the new symlink file in the live directory which still points to the expired certs - as a temporary fix


#8

So I guess you renamed the directory /etc/letsencrypt/live/wikispooks.com-0001 to /etc/letsencrypt/live/wikispooks.com? But the symbolic links are still pointing to the previous location of the corresponding archive directory. That will confuse certbot. Generally it’s best not to manually modify those directories at all, but if you must, be sure to update the symlinks as well. Specifically you need to recreate the symlinks in /etc/letsencrypt/live/wikispooks.com/ so that they point to the latest certificate files in /etc/letsencrypt/archive/wikispooks.com/.

(See also this recent thread about the same problem)


#9

I haven’t modified the file names or directories. I have just modified the apache config file to point to the latest (unexpired) certs in /etc/letsencrypt/archive/ . I would appreciate a pointer as to how to get certbot to work properly again because, sure as night follows day, in 3 months I will have forgotten much of this and will have to go through it all again.

PS I do not claim serious sysop expertise. I just muddle through to try to keep the server working OK :slight_smile:


#10

Isn’t it possible that you renamed the directory 3 months ago and subsequently forgot? :wink:

Anyway, regardless of how they got that way, the symlinks are broken now so you’ll still need to fix them. Once they’re fixed, certbot should once again be able to renew as normal, and then next time you should not need to do anything at all.

To fix the symlinks you can try this (adapted from the other thread):

cd /etc/letsencrypt/live/wikispooks.com
rm *.pem
ln -s ../../archive/wikispooks.com/cert3.pem cert.pem
ln -s ../../archive/wikispooks.com/chain3.pem chain.pem
ln -s ../../archive/wikispooks.com/fullchain3.pem fullchain.pem
ln -s ../../archive/wikispooks.com/privkey3.pem privkey.pem

#11

Yes JM, that is possible. I think I have enough info to fix things properly now but do not have time to try right now. I’ll post again when I have done so, either successfully or to seek more help.
Thanks to all who have chipped in.


#12

Yes that worked fine.
Thanks once again for your prompt professional help