Certbot says "congratulations" but cert expiration is not updating

See log below – today is Sept 2nd, and I’m using docker certbot to renew my cert. Certbot reports success / congratulations – your cert has been renewed and is now expiring Sept 8th. !!!

I clearly need my cert to last longer than 6 days. What’s going on?!

My domain is: scalableinnovations.org

I ran this command:


docker run --rm --name certbot \
   -v "/root/letsencrypt/etc:/etc/letsencrypt" \
   -v "/root/letsencrypt/var:/var/lib/letsencrypt" \
   -v "$WEBROOT:/webroot/" certbot/certbot certonly \
   --non-interactive --webroot -w /webroot/ \
   -d scalableinnovations.org --cert-name scalableinnovations.org

It produced this output:

Wed Sep  2 16:22:07 UTC 2020

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for scalableinnovations.org
Using the webroot path /webroot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-09-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

I checked to ensure the files are being newly written:

> ls -la /root/letsencrypt/etc/live/scalableinnovations.org/cert.pem
lrwxrwxrwx 1 root root   52 Sep  2 16:22 cert.pem -> ../../archive/scalableinnovations.org-0001/cert1.pem

Yes, the symlink itself is updated… but what about the file it points to:

> ls -la /root/letsencrypt/etc/archive/scalableinnovations.org-0001/cert1.pem
-rw-r--r-- 1 root root 1931 Jun 10 02:00 /root/letsencrypt/etc/archive/scalableinnovations.org-0001/cert1.pem

Aha, that’s old… but… why?

I was going to try and blow away my letsencrypt directory and just start fresh, but I’ve hit a rate limit. :neutral_face:

The operating system my web server runs on is (include version):

Ubuntu 18.04

That’s not good: your symbolic link for the certificate name scalableinnovations.org (which is equal to the directory name) links to the files for the certificate name scalableinnovations.org-0001! Notice the difference?

This is not something certbot would do, unless there is a grave bug (which I most certainly doubt very much). It looks like someone manually updated the symbolic link.

Also, the command you ran is not for renewing a certificate, but for getting a new certificate. Renewing is done by simply running certbot renew (with all those docker thingies too of course…)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.