Certbot says its updated but what is being served is not updated

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

worldalive.tours

I ran this command:
sudo ./certbot-auto renew --debug

It produced this output:

new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/worldalive.tours/fullchain.pem



Processing /etc/letsencrypt/renewal/www.worldalive.tours.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator nginx, Installer None

Renewing an existing certificate


new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/www.worldalive.tours/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/worldalive.tours/fullchain.pem (success)

/etc/letsencrypt/live/www.worldalive.tours/fullchain.pem (success)

[ec2-user@–] sudo service nginx restart Stopping nginx: [ OK ] Starting nginx: [ OK ] [ec2-user@--] ./certbot-auto certificates
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: worldalive.tours
Domains: worldalive.tours www.worldalive.tours
Expiry Date: 2019-09-16 18:47:26+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/worldalive.tours/fullchain.pem
Private Key Path: /etc/letsencrypt/live/worldalive.tours/privkey.pem
Certificate Name: www.worldalive.tours
Domains: www.worldalive.tours
Expiry Date: 2019-09-16 18:47:29+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.worldalive.tours/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.worldalive.tours/privkey.pem

My web server is (include version):

1.14.1

The operating system my web server runs on is (include version):

latest AWS AMI.

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

0.35.1

well, certbot says everything is all right, and my browser says everything is all right on the web page, so my guess is that it was just a cache issue.

Any idea how to update the cache? We have a staging environment and the browser says the cert has expired but still seems to be secure.

Err, it may depend on your browser, but on the ones I have used if you hit Ctrl F5 it reloads everything. If you have some security box between your browser and the internet things can be different.
I see that someone checked your site on
https://check-your-website.server-daten.de/
and it got a C, certainly not with outdated certificates.

1 Like

Hi @pineapplejoe

Yep, I've checked the site. Grade C -> no certificate problem.

Some minor things, but the certificate has both domain names, so both connections are secure.

What's your staging environment? Is it a different server? Does it have a different (sub)domain? Is it using different certificates?

It’s staging.worldalive.tours. It might be up restricted though.

The “./certbot-auto certificates” output in your first post didn’t show any worldalive.tours certificate, though. Is it installed on a different instance? Or was it issued with a different ACME client?

There is a certificate issued about a month ago, though:

https://crt.sh/?id=1514213625

Thanks! Still not able to see the right thing when I use Chrome.

BTW - what are the minor things?

1 Like

This is the part that has worldalive.tours. Or are you referring to something else?

The staging environment is AWS. Its a separate instance than the main server. It should have its own certs.

If it is your first certificate, Grade B should be possible.

HSTS -> Grade A - but HSTS requires an always working certificate.

So you should only add the HSTS header if you have renewed your certificate one time. Check the output @gpatel-fr has shared.

1 Like

I’m sorry, I meant to write that it didn’t show any staging.worldalive.tours certificate.

If the problem is with https://staging.worldalive.tours/, can you show us the “./certbot-auto certificates” output on that instance?

The problem is with both staging and the official site but it showed up first in staging.

Found the following certs:
Certificate Name: staging.worldalive.tours
Domains: staging.worldalive.tours
Expiry Date: 2019-08-19 17:05:20+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/staging.worldalive.tours/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.worldalive.tours/privkey.pem

But as noted above - it seems that it works fine for others and when I try Firefox it works. Its just chrome. And chrome works. The “lock” shows up and I click on it - the dialog says the connection is secure. Its just when I want to see the certificate that I see that its expired. I even cleared the cache and it was still not showing the right thing.

Ok. As I typed this I removed Chrome and re-installed it - and now its working. Even staging is working.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.