Certbot says cert is not ready for renewal Site says it's expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:unifi.portcitydata.com

I ran this command: sudo certbot renew

It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/portcitydata.com/fullchain.pem expires on 2020-09-01 (skipped)
/etc/letsencrypt/live/unifi.portcitydata.com/fullchain.pem expires on 2020-09-01 (skipped)
No renewals were attempted.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

1 Like

Hi,

Can you try to execute the below command?
sudo systemctl restart nginx

I think you used certonly when issuing the certificate, which means your certificate renewal and since certbot didn’t know what server you used on, it didn’t apply the certificate to nginx. A simple reload would fix this issue.

P.S. For future reference, try certbot renew -a nginx (which should specify the authenticator to nginx web server.)

I had actually restarted the whole server before making this post. That would have restarted nginx.

Could we also see the output of sudo certbot certificates?

1 Like

Found the following certs:
Certificate Name: portcitydata.com
Domains: portcitydata.com
Expiry Date: 2020-09-01 11:15:50+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/portcitydata.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/portcitydata.com/privkey.pem
Certificate Name: unifi.portcitydata.com
Domains: unifi.portcitydata.com
Expiry Date: 2020-09-01 11:15:58+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/unifi.portcitydata.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/unifi.portcitydata.com/privkey.pem

1 Like

I figured it out. I had a cron job set to run a script that imported the updated cert shortly after cerbot renew runs but it was not running for some reason. I manually ran it and all is well. I just have to work out why the cron job was not running now.
Thanks for the help!!!

2 Likes

Great! You might want to look at Certbot’s --deploy-hook option, which will let Certbot initiate a task to deploy a new certificate immediately after it’s saved (assuming your security model makes that appropriate).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.