Certificate expiration date not changed after renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tcevisitantes.tce.es.gov.br

I ran this command: certbot certonly -d tcevisitantes.tce.es.gov.br --apache

It produced this output: After a few attempts, I can no longer issue it, but when it did, it generated a certificate with the old date, due on 01/18.

My web server is (include version):

The operating system my web server runs on is (include version): Debian GNU/Linux 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot --version

Hello @Gabiel, welcome to the Let's Encrypt community.

Here is a list of issued certificates crt.sh | tcevisitantes.tce.es.gov.br, the latest being 2023-01-10.

I would suggest restarting Apache, as it seem you are not serving the newest certificate.
Also it seems that you are not presently serving a Let's Encrypt issued certificate, please see results here

https://www.ssllabs.com/ssltest/analyze.html?d=tcevisitantes.tce.es.gov.br&latest

Good afternoon @Bruce5051 , I'll try to do what you suggested. But I have a limit to generate another certificate, is there any way to circumvent this?

root@tcesrvprpxy01:/home/# certbot certonly -d tcevisitantes.tce.es.gov.br --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: tcevisitantes.tce.es.gov.br, retry after 2023-01-13T03:04:37Z: see Duplicate Certificate Limit - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.

No. Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are rolling.

@Gabiel Your problem is not in getting the certificate. Your problem is your Apache server is not configured to use them.

You have gotten 19 certificates since the one you say expires Jan 18. See the crt.sh link Bruce showed. Please do not try getting any more certs until you fix your Apache config.

To see why Apache is not using the cert you want, show us the output of this:

apachectl -t -D DUMP_VHOSTS

and show us output of this:

certbot certificates

root@tcesrvprpxy01:/etc/letsencrypt/live# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 tcevisitantes.tce.es.gov.br (/etc/apache2/sites-enabled/tcevisitantes-le-ssl.conf:2)
*:80 tcevisitantes.tce.es.gov.br (/etc/apache2/sites-enabled/tcevisitantes.conf:1)

Certificate Name: tcevisitantes.tce.es.gov.br
Domains: tcevisitantes.tce.es.gov.br
Expiry Date: 2022-08-29 17:57:14+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/privkey.pem

This problem is just having in tcevisitantes, ours other certificates is was renew correctly, for example the mpc.tce.es.gov.br.

Can you show us the contents of this conf file?

Please put 3 backticks before and after the contents like this

```
contents of conf file
```

Could you also please show the output of the following commands:

ls -l /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/
ls -l /etc/letsencrypt/archive/tcevisitantes.tce.es.gov.br/

(And also three backticks (```) above and below the outputs please.)

cat /etc/apache2/sites-enabled/tcevisitantes-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName tcevisitantes.tce.es.gov.br
        DocumentRoot /var/www/html/tcevisitantes

SSLCertificateFile /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

root@tcesrvprpxy01:/etc/letsencrypt/live# ls -l /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/
total 12
lrwxrwxrwx 1 root root   52 Jan 12 15:17 cert.pem -> ../../archive/tcevisitantes.tce.es.gov.br/cert22.pem
lrwxrwxrwx 1 root root   53 Jan 12 15:17 chain.pem -> ../../archive/tcevisitantes.tce.es.gov.br/chain22.pem
lrwxrwxrwx 1 root root   57 Jan 12 15:17 fullchain.pem -> ../../archive/tcevisitantes.tce.es.gov.br/fullchain22.pem
lrwxrwxrwx 1 root root   55 Jan 12 15:17 privkey.pem -> ../../archive/tcevisitantes.tce.es.gov.br/privkey22.pem
-rw-r--r-- 1 root root  692 Oct 20 14:25 README
-rw------- 1 root root 5717 Jan  5 13:53 tcevisitantes.tce.es.gov.br.pfx
root@tcesrvprpxy01:/etc/letsencrypt/live# ls -l /etc/letsencrypt/archive/tcevisitantes.tce.es.gov.br/
total 408
-rw-r--r-- 1 root root 1879 Mar 18  2021 cert10.pem
-rw-r--r-- 1 root root 1879 May 17  2021 cert11.pem
-rw-r--r-- 1 root root 1879 Jul 17  2021 cert12.pem
-rw-r--r-- 1 root root 1879 Jul 20  2021 cert13.pem
-rw-r--r-- 1 root root 1874 Jul 20  2021 cert14.pem
-rw-r--r-- 1 root root 1879 Sep 18  2021 cert15.pem
-rw-r--r-- 1 root root 1874 Sep 23  2021 cert16.pem
-rw-r--r-- 1 root root 1874 Nov 26  2021 cert17.pem
-rw-r--r-- 1 root root 1874 Jan 25  2022 cert18.pem
-rw-r--r-- 1 root root 1879 Mar 26  2022 cert19.pem
-rw-r--r-- 1 root root 1944 Nov 14  2019 cert1.pem
-rw-r--r-- 1 root root 1879 Mar 29  2022 cert20.pem
-rw-r--r-- 1 root root 1879 May 28  2022 cert21.pem
-rw-r--r-- 1 root root 1874 May 31  2022 cert22.pem
-rw-r--r-- 1 root root 1879 Jan 11 15:28 cert2.pem
-rw-r--r-- 1 root root 1944 Mar 14  2020 cert3.pem
-rw-r--r-- 1 root root 1944 May 13  2020 cert4.pem
-rw-r--r-- 1 root root 1944 Jul 12  2020 cert5.pem
-rw-r--r-- 1 root root 1944 Sep 11  2020 cert6.pem
-rw-r--r-- 1 root root 1948 Sep 18  2020 cert7.pem
-rw-r--r-- 1 root root 1939 Nov 17  2020 cert8.pem
-rw-r--r-- 1 root root 1874 Jan 17  2021 cert9.pem
-rw-r--r-- 1 root root 1586 Mar 18  2021 chain10.pem
-rw-r--r-- 1 root root 3750 May 17  2021 chain11.pem
-rw-r--r-- 1 root root 3750 Jul 17  2021 chain12.pem
-rw-r--r-- 1 root root 3750 Jul 20  2021 chain13.pem
-rw-r--r-- 1 root root 3750 Jul 20  2021 chain14.pem
-rw-r--r-- 1 root root 3750 Sep 18  2021 chain15.pem
-rw-r--r-- 1 root root 3750 Sep 23  2021 chain16.pem
-rw-r--r-- 1 root root 3750 Nov 26  2021 chain17.pem
-rw-r--r-- 1 root root 3750 Jan 25  2022 chain18.pem
-rw-r--r-- 1 root root 3750 Mar 26  2022 chain19.pem
-rw-r--r-- 1 root root 1647 Nov 14  2019 chain1.pem
-rw-r--r-- 1 root root 3750 Mar 29  2022 chain20.pem
-rw-r--r-- 1 root root 3750 May 28  2022 chain21.pem
-rw-r--r-- 1 root root 3750 May 31  2022 chain22.pem
-rw-r--r-- 1 root root 3750 Jun  9  2022 chain23.pem
-rw-r--r-- 1 root root 3750 Jan 11 15:28 chain2.pem
-rw-r--r-- 1 root root 1647 Mar 14  2020 chain3.pem
-rw-r--r-- 1 root root 1647 May 13  2020 chain4.pem
-rw-r--r-- 1 root root 1647 Jul 12  2020 chain5.pem
-rw-r--r-- 1 root root 1647 Sep 11  2020 chain6.pem
-rw-r--r-- 1 root root 1647 Sep 18  2020 chain7.pem
-rw-r--r-- 1 root root 1647 Nov 17  2020 chain8.pem
-rw-r--r-- 1 root root 1586 Jan 17  2021 chain9.pem
-rw-r--r-- 1 root root 3465 Mar 18  2021 fullchain10.pem
-rw-r--r-- 1 root root 5629 May 17  2021 fullchain11.pem
-rw-r--r-- 1 root root 5629 Jul 17  2021 fullchain12.pem
-rw-r--r-- 1 root root 5629 Jul 20  2021 fullchain13.pem
-rw-r--r-- 1 root root 5624 Jul 20  2021 fullchain14.pem
-rw-r--r-- 1 root root 5629 Sep 18  2021 fullchain15.pem
-rw-r--r-- 1 root root 5624 Sep 23  2021 fullchain16.pem
-rw-r--r-- 1 root root 5624 Nov 26  2021 fullchain17.pem
-rw-r--r-- 1 root root 5624 Jan 25  2022 fullchain18.pem
-rw-r--r-- 1 root root 5629 Mar 26  2022 fullchain19.pem
-rw-r--r-- 1 root root 3591 Nov 14  2019 fullchain1.pem
-rw-r--r-- 1 root root 5629 Mar 29  2022 fullchain20.pem
-rw-r--r-- 1 root root 5629 May 28  2022 fullchain21.pem
-rw-r--r-- 1 root root 5624 May 31  2022 fullchain22.pem
-rw-r--r-- 1 root root 5629 Jan 11 15:28 fullchain2.pem
-rw-r--r-- 1 root root 3591 Mar 14  2020 fullchain3.pem
-rw-r--r-- 1 root root 3591 May 13  2020 fullchain4.pem
-rw-r--r-- 1 root root 3591 Jul 12  2020 fullchain5.pem
-rw-r--r-- 1 root root 3591 Sep 11  2020 fullchain6.pem
-rw-r--r-- 1 root root 3595 Sep 18  2020 fullchain7.pem
root@tcesrvprpxy01:/etc/letsencrypt/live#
-rw-r--r-- 1 root root 3460 Jan 17  2021 fullchain9.pem
-rw-r--r-- 1 root root 1704 Mar 18  2021 privkey10.pem
-rw-r--r-- 1 root root 1708 May 17  2021 privkey11.pem
-rw-r--r-- 1 root root 1704 Jul 17  2021 privkey12.pem
-rw-r--r-- 1 root root 1704 Jul 20  2021 privkey13.pem
-rw-r--r-- 1 root root 1704 Jul 20  2021 privkey14.pem
-rw-r--r-- 1 root root 1708 Sep 18  2021 privkey15.pem
-rw-r--r-- 1 root root 1704 Sep 23  2021 privkey16.pem
-rw-r--r-- 1 root root 1704 Nov 26  2021 privkey17.pem
-rw-r--r-- 1 root root 1708 Jan 25  2022 privkey18.pem
-rw-r--r-- 1 root root 1704 Mar 26  2022 privkey19.pem
-rw-r--r-- 1 root root 1708 Nov 14  2019 privkey1.pem
-rw-r--r-- 1 root root 1704 Mar 29  2022 privkey20.pem
-rw-r--r-- 1 root root 1708 May 28  2022 privkey21.pem
-rw-r--r-- 1 root root 1704 May 31  2022 privkey22.pem
-rw-r--r-- 1 root root 1704 Jan 11 15:28 privkey2.pem
-rw-r--r-- 1 root root 1704 Mar 14  2020 privkey3.pem
-rw-r--r-- 1 root root 1708 May 13  2020 privkey4.pem
-rw-r--r-- 1 root root 1704 Jul 12  2020 privkey5.pem
-rw-r--r-- 1 root root 1704 Sep 11  2020 privkey6.pem
-rw-r--r-- 1 root root 1704 Sep 18  2020 privkey7.pem
-rw-r--r-- 1 root root 1708 Nov 17  2020 privkey8.pem
-rw-r--r-- 1 root root 1704 Jan 17  2021 privkey9.pem

Can you explain more about this server?

Because it does not look like that Apache config or those /etc/letsencrypt files are in use.

Requests to your domain name tcevisitantes returns information from a Windows IIS server (not Apache).

And, the most recent files in /etc/letsencrypt are very old unusual (see Osiris below). What machine are you using to get the current certs?

curl -i tcevisitantes.tce.es.gov.br
HTTP/1.1 200 OK
Server:
X-Powered-By:
X-ASPNET-VERSION:
X-ASPNETMVC-VERSION:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>

There are your most recent certificates. For some reason, Certbot has written them to the incorrect number. I.e.: you'd expect Certbot to count from 22 to 23 and so on. But for some strange reason, it didn't.

Which Certbot version are you running? When asked for the version of your client in the questionnaire, you apparently just copy/pasted the example command you should have run to view the version..

Also, there have been many certs issued recently and they do not appear in /etc/letsencrypt at all. crt.sh shows 7 others for Jan and 12 in Dec.

I suspect, but wouldn't know why, that all those files were written to the same xxx2.pem file, overwriting the previous one.

We're using the certbot 0.28.0

This is newer Certbot 2.2.0 Release

0.28.0 is very old. Everything might be fixed by updating, which might require changing to the snap installation method of installing Certbot. See https://certbot.eff.org/ for the instructions generator for your OS/webserver combo.

That's a reasonable idea.

It looks to me like Windows IIS is the main server and proxies HTTP Challenges to Apache.

If IIS is the "main" server the best solution might be to migrate to an ACME Client like Certify The Web (link here) which has built-in integration with IIS.

What do you think?

I don't know anything about IIS, so I wouldn't dare making any recommendation using it. I can only recommend stuff to fix Certbot to be honest

Fair enough. I don't know much either except you do some sort of import with pfx files. An ACME client like Certify The Web handles that integration automatically. Certbot does not and I have seen many people struggle with that on this forum.

There may be a good reason why they are doing it this way but it seems more complicated than it needs to be.