Certbot says "congratulations" but cert expiration is not updating

See log below – today is Sept 2nd, and I’m using docker certbot to renew my cert. Certbot reports success / congratulations – your cert has been renewed and is now expiring Sept 8th. !!!

I clearly need my cert to last longer than 6 days. What’s going on?!

My domain is: scalableinnovations.org

I ran this command:

whoami
date

docker run --rm --name certbot \
   -v "/root/letsencrypt/etc:/etc/letsencrypt" \
   -v "/root/letsencrypt/var:/var/lib/letsencrypt" \
   -v "$WEBROOT:/webroot/" certbot/certbot certonly \
   --non-interactive --webroot -w /webroot/ \
   -d scalableinnovations.org --cert-name scalableinnovations.org

It produced this output:

root
Wed Sep  2 16:22:07 UTC 2020

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for scalableinnovations.org
Using the webroot path /webroot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/scalableinnovations.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/scalableinnovations.org/privkey.pem
   Your cert will expire on 2020-09-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
...snip

I checked to ensure the files are being newly written:

> ls -la /root/letsencrypt/etc/live/scalableinnovations.org/cert.pem
lrwxrwxrwx 1 root root   52 Sep  2 16:22 cert.pem -> ../../archive/scalableinnovations.org-0001/cert1.pem

Yes, the symlink itself is updated… but what about the file it points to:

> ls -la /root/letsencrypt/etc/archive/scalableinnovations.org-0001/cert1.pem
-rw-r--r-- 1 root root 1931 Jun 10 02:00 /root/letsencrypt/etc/archive/scalableinnovations.org-0001/cert1.pem

Aha, that’s old… but… why?

I was going to try and blow away my letsencrypt directory and just start fresh, but I’ve hit a rate limit. :neutral_face:

The operating system my web server runs on is (include version):

Ubuntu 18.04

That’s not good: your symbolic link for the certificate name scalableinnovations.org (which is equal to the directory name) links to the files for the certificate name scalableinnovations.org-0001! Notice the difference?

This is not something certbot would do, unless there is a grave bug (which I most certainly doubt very much). It looks like someone manually updated the symbolic link.

Also, the command you ran is not for renewing a certificate, but for getting a new certificate. Renewing is done by simply running certbot renew (with all those docker thingies too of course…)