Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aviandirectory.uk, smtp.aviandirectory.uk

I ran this command:
certbot -v
certbot certonly --standalone
aviandirectory.uk, smtp.aviandirectory.uk
certbot renew --dry-run

It produced this output:
PS C:\Windows\system32> certbot certonly --standalone
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): aviandirectory.uk, smtp.aviandirectory.uk
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: C:\Certbot\renewal\smtp.aviandirectory.uk.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for aviandirectory.uk and smtp.aviandirectory.uk

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\smtp.aviandirectory.uk\fullchain.pem
Key is saved at: C:\Certbot\live\smtp.aviandirectory.uk\privkey.pem
This certificate expires on 2025-10-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Support Encryption for Everyone - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

PS C:\Windows\system32> certbot renew --dry-run
Saving debug log to C:\Certbot\log\letsencrypt.log

Processing C:\Certbot\renewal\aviandirectory.uk.conf

Simulating renewal of an existing certificate for aviandirectory.uk and www.aviandirectory.uk

Processing C:\Certbot\renewal\smtp.aviandirectory.uk.conf

Simulating renewal of an existing certificate for aviandirectory.uk and smtp.aviandirectory.uk

Congratulations, all simulated renewals succeeded:
C:\Certbot\live\aviandirectory.uk\fullchain.pem (success)
C:\Certbot\live\smtp.aviandirectory.uk\fullchain.pem (success)

PS C:\Windows\system32>

My web server is (include version):
Apache Server version: 10.4.32-MariaDB

The operating system my web server runs on is (include version):
Windows 10

My hosting provider, if applicable, is:
self hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot version: 2.6.0

It was working fine before, updated the certificates with no issues before. Now it says it is updated/renewed but when I visit my site, it says the certificates are now out of date. I have not changed any settings. When viewing the certificates in the web browser, it seems to show the old certificate which has just expired.

Have you restarted your Apache server since you got new certificates?

You should know that the EFF dropped support for Certbot on Windows a year and a half ago. You should consider replacing it with an ACME Client designed for Windows like Certify the Web, posh-acme, or simple-acme. See: Certbot Discontinuing Windows Beta Support in 2024

I don't think Certbot is causing the problem but something to keep in mind.

Also, you have two Certbot configurations. Which one does your Apache use?

Please show output of:

certbot certificates

apachectl -t -D DUMP_VHOSTS

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell Install PowerShell on Windows, Linux, and macOS - PowerShell | Microsoft Learn

PS C:\Windows\system32> certbot certificates
Saving debug log to C:\Certbot\log\letsencrypt.log

Found the following certs:
Certificate Name: aviandirectory.uk
Serial Number: 58023b1f2717084b20f411d85034353eb3e
Key Type: ECDSA
Domains: aviandirectory.uk www.aviandirectory.uk
Expiry Date: 2025-07-08 09:09:37+00:00 (INVALID: EXPIRED)
Certificate Path: C:\Certbot\live\aviandirectory.uk\fullchain.pem
Private Key Path: C:\Certbot\live\aviandirectory.uk\privkey.pem
Certificate Name: smtp.aviandirectory.uk
Serial Number: 6b4d0bc3ab55e65e5eeefb1210817824971
Key Type: ECDSA
Domains: smtp.aviandirectory.uk aviandirectory.uk
Expiry Date: 2025-10-06 13:16:08+00:00 (VALID: 89 days)
Certificate Path: C:\Certbot\live\smtp.aviandirectory.uk\fullchain.pem
Private Key Path: C:\Certbot\live\smtp.aviandirectory.uk\privkey.pem

PS C:\Windows\system32> apachectl -t -D DUMP_VHOSTS
apachectl : The term 'apachectl' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

• apachectl -t -D DUMP_VHOSTS

•   + CategoryInfo          : ObjectNotFound: (apachectl:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  
  

PS C:\Windows\system32>

Oh, I forgot to mention, I always stop the servers when updating the certbot certs. I stop apache and mysql servers also the mail server is stopped too. I restarted my system after the last update, it made no difference.

Okay, we see that you have one cert that has expired and one recently issued.

Your Apache must be referring to the cert that has expired.

Oddly, the certbot --dry-run for that worked

How do you normally renew this? Don't you have a scheduled task for that? Why do you request a new cert using --standalone instead of that?

Please show contents of this:

C:\Certbot\renewal\aviandirectory.uk.conf

And this should work on Windows (I hope)

httpd -t -D DUMP_VHOSTS

here are the contents of aviandirectory.uk.conf

renew_before_expiry = 30 days

version = 2.6.0
archive_dir = C:\Certbot\archive\aviandirectory.uk
cert = C:\Certbot\live\aviandirectory.uk\cert.pem
privkey = C:\Certbot\live\aviandirectory.uk\privkey.pem
chain = C:\Certbot\live\aviandirectory.uk\chain.pem
fullchain = C:\Certbot\live\aviandirectory.uk\fullchain.pem

Options used in the renewal process

[renewalparams]
account = 654e7b7b6b0542c4b77ced6f5f35bac7
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Here are the contents of smtp.aviandirectory.uk.conf

renew_before_expiry = 30 days

version = 2.6.0
archive_dir = C:\Certbot\archive\smtp.aviandirectory.uk
cert = C:\Certbot\live\smtp.aviandirectory.uk\cert.pem
privkey = C:\Certbot\live\smtp.aviandirectory.uk\privkey.pem
chain = C:\Certbot\live\smtp.aviandirectory.uk\chain.pem
fullchain = C:\Certbot\live\smtp.aviandirectory.uk\fullchain.pem

Options used in the renewal process

[renewalparams]
account = 654e7b7b6b0542c4b77ced6f5f35bac7
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Thought i'd post both files for comparison. strange why it no longer updates the other where it used to before.

I keep a small text file with instructions on how to update the certs, this is what I keep in that file...
disable web server.
install certbot
run powershell as admin
type the following...
certbot -v
certbot certonly --standalone
(if asked enter valid email and enter smtp.aviandirectory.uk, aviandirectory.uk)
certbot renew --dry-run
Start servers again

httpd -t -D DUMP_VHOSTS

doesnt work neither on windows, I just get a similar error

You would have to run --standalone twice since you have two certificate configurations

Instead, after all the steps including stopping Apache do this instead of certbot certonly --standalone

certbot renew 

I don't know why one of those wouldn't work.

What command do you use to stop and start Apache?

OK, to save a lot of time, I uninstalled Certbot and removed all the files including the install folder. I installed it again as a fresh install (I know it is no longer supported but it should still work). I registered using only aviandirectory.uk and left out the smtp.aviandirectory.uk to keep everything simple.
My mail server still sends and receives mail using the new certs, however the web server is having none of it.

If you view the certificates on my site from a browser, it now says they are valid for 3 months but they are still not valid lol, it makes so sense to me.

This is the new contents of the aviandirectory.uk.conf file

renew_before_expiry = 30 days

version = 2.6.0
archive_dir = C:\Certbot\archive\aviandirectory.uk
cert = C:\Certbot\live\aviandirectory.uk\cert.pem
privkey = C:\Certbot\live\aviandirectory.uk\privkey.pem
chain = C:\Certbot\live\aviandirectory.uk\chain.pem
fullchain = C:\Certbot\live\aviandirectory.uk\fullchain.pem

Options used in the renewal process

[renewalparams]
account = 38bfe4fc2bdc1c0dacdc6bf8c4b00867
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

when I look in the Live folder there is now only one folder called aviandirectory.uk with the usual contents. I have not changed any settings in my web server files, it is all the same as before.

That doesn't save time and breaks your Apache since (at least temporarily) its config refers to files that no longer exist.

Yes, and requests to aviandirectory.uk use a cert you just got. Requests to www.aviandirectory.uk do not though as you only got a cert for the registered name and not including www subdomain.

Try both names here: SSL Checker

Yes, see my post just prior to yours. We cross-posted

You should have used

certbot certonly --standalone -d aviandirectory.uk -d www.aviandirectory.uk

I can try again, doesn't take long. Someone asked me before why I used --standalone, I told them I was following the instructions on Let's Encrypt when I installed certbot.

It's finally working, the following line you posted worked a charm.

certbot certonly --standalone -d aviandirectory.uk -d www.aviandirectory.uk

I should make a note of that when updating the certs in future. I am not that familiar with using certbot or certificates, I do try my best though, and I really appreciate all the help people like you offer. I know people like me can be tiresome, but know that you have just saved me a huge headache as well as my little website. Tips-Hat to you.
Thank you

If you're not familiar with certbot, and you're on a Windows server, you really should be using a different client. If you like the command-line, use simple-acme. If you like a GUI, use Certify the Web.

I found the command line for certbot pretty easy, only because I had it written down. I will change over software later when I get more free time, at the moment, I am seriously grateful that MikeMcQ got it working for me, it grants me a bit more time to look at other means.

Now that you have a cert you do this to renew it

certbot renew

That will renew all of your certs. Right now it is just the one but before you had two so this is good practice

You only use certbot certonly ... to get an initial cert

On my mail server I just pointed from the old certificates to the new ones in the new directories, it was a pretty quick changeover. Just meant restarting the mail server. The web server was already pointing to the live/aviandirectory.uk/ files in the httpd-vhosts.conf
I thought I was going to be at this for days, weeks even, but the support on here is "fast" and really good. I only noticed a couple of hours ago it had stopped working despite renewing the certs a week ago. Something clearly had changed, which I was not sure about.