Certificate expiration date not changed after renewal

No. Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are rolling.

1 Like

@Gabiel Your problem is not in getting the certificate. Your problem is your Apache server is not configured to use them.

You have gotten 19 certificates since the one you say expires Jan 18. See the crt.sh link Bruce showed. Please do not try getting any more certs until you fix your Apache config.

To see why Apache is not using the cert you want, show us the output of this:

apachectl -t -D DUMP_VHOSTS

and show us output of this:

certbot certificates
3 Likes

root@tcesrvprpxy01:/etc/letsencrypt/live# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 tcevisitantes.tce.es.gov.br (/etc/apache2/sites-enabled/tcevisitantes-le-ssl.conf:2)
*:80 tcevisitantes.tce.es.gov.br (/etc/apache2/sites-enabled/tcevisitantes.conf:1)

Certificate Name: tcevisitantes.tce.es.gov.br
Domains: tcevisitantes.tce.es.gov.br
Expiry Date: 2022-08-29 17:57:14+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/privkey.pem

This problem is just having in tcevisitantes, ours other certificates is was renew correctly, for example the mpc.tce.es.gov.br.

Can you show us the contents of this conf file?

Please put 3 backticks before and after the contents like this

```
contents of conf file
```

3 Likes

Could you also please show the output of the following commands:

ls -l /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/
ls -l /etc/letsencrypt/archive/tcevisitantes.tce.es.gov.br/

(And also three backticks (```) above and below the outputs please.)

3 Likes

cat /etc/apache2/sites-enabled/tcevisitantes-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName tcevisitantes.tce.es.gov.br
        DocumentRoot /var/www/html/tcevisitantes

SSLCertificateFile /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
root@tcesrvprpxy01:/etc/letsencrypt/live# ls -l /etc/letsencrypt/live/tcevisitantes.tce.es.gov.br/
total 12
lrwxrwxrwx 1 root root   52 Jan 12 15:17 cert.pem -> ../../archive/tcevisitantes.tce.es.gov.br/cert22.pem
lrwxrwxrwx 1 root root   53 Jan 12 15:17 chain.pem -> ../../archive/tcevisitantes.tce.es.gov.br/chain22.pem
lrwxrwxrwx 1 root root   57 Jan 12 15:17 fullchain.pem -> ../../archive/tcevisitantes.tce.es.gov.br/fullchain22.pem
lrwxrwxrwx 1 root root   55 Jan 12 15:17 privkey.pem -> ../../archive/tcevisitantes.tce.es.gov.br/privkey22.pem
-rw-r--r-- 1 root root  692 Oct 20 14:25 README
-rw------- 1 root root 5717 Jan  5 13:53 tcevisitantes.tce.es.gov.br.pfx
root@tcesrvprpxy01:/etc/letsencrypt/live# ls -l /etc/letsencrypt/archive/tcevisitantes.tce.es.gov.br/
total 408
-rw-r--r-- 1 root root 1879 Mar 18  2021 cert10.pem
-rw-r--r-- 1 root root 1879 May 17  2021 cert11.pem
-rw-r--r-- 1 root root 1879 Jul 17  2021 cert12.pem
-rw-r--r-- 1 root root 1879 Jul 20  2021 cert13.pem
-rw-r--r-- 1 root root 1874 Jul 20  2021 cert14.pem
-rw-r--r-- 1 root root 1879 Sep 18  2021 cert15.pem
-rw-r--r-- 1 root root 1874 Sep 23  2021 cert16.pem
-rw-r--r-- 1 root root 1874 Nov 26  2021 cert17.pem
-rw-r--r-- 1 root root 1874 Jan 25  2022 cert18.pem
-rw-r--r-- 1 root root 1879 Mar 26  2022 cert19.pem
-rw-r--r-- 1 root root 1944 Nov 14  2019 cert1.pem
-rw-r--r-- 1 root root 1879 Mar 29  2022 cert20.pem
-rw-r--r-- 1 root root 1879 May 28  2022 cert21.pem
-rw-r--r-- 1 root root 1874 May 31  2022 cert22.pem
-rw-r--r-- 1 root root 1879 Jan 11 15:28 cert2.pem
-rw-r--r-- 1 root root 1944 Mar 14  2020 cert3.pem
-rw-r--r-- 1 root root 1944 May 13  2020 cert4.pem
-rw-r--r-- 1 root root 1944 Jul 12  2020 cert5.pem
-rw-r--r-- 1 root root 1944 Sep 11  2020 cert6.pem
-rw-r--r-- 1 root root 1948 Sep 18  2020 cert7.pem
-rw-r--r-- 1 root root 1939 Nov 17  2020 cert8.pem
-rw-r--r-- 1 root root 1874 Jan 17  2021 cert9.pem
-rw-r--r-- 1 root root 1586 Mar 18  2021 chain10.pem
-rw-r--r-- 1 root root 3750 May 17  2021 chain11.pem
-rw-r--r-- 1 root root 3750 Jul 17  2021 chain12.pem
-rw-r--r-- 1 root root 3750 Jul 20  2021 chain13.pem
-rw-r--r-- 1 root root 3750 Jul 20  2021 chain14.pem
-rw-r--r-- 1 root root 3750 Sep 18  2021 chain15.pem
-rw-r--r-- 1 root root 3750 Sep 23  2021 chain16.pem
-rw-r--r-- 1 root root 3750 Nov 26  2021 chain17.pem
-rw-r--r-- 1 root root 3750 Jan 25  2022 chain18.pem
-rw-r--r-- 1 root root 3750 Mar 26  2022 chain19.pem
-rw-r--r-- 1 root root 1647 Nov 14  2019 chain1.pem
-rw-r--r-- 1 root root 3750 Mar 29  2022 chain20.pem
-rw-r--r-- 1 root root 3750 May 28  2022 chain21.pem
-rw-r--r-- 1 root root 3750 May 31  2022 chain22.pem
-rw-r--r-- 1 root root 3750 Jun  9  2022 chain23.pem
-rw-r--r-- 1 root root 3750 Jan 11 15:28 chain2.pem
-rw-r--r-- 1 root root 1647 Mar 14  2020 chain3.pem
-rw-r--r-- 1 root root 1647 May 13  2020 chain4.pem
-rw-r--r-- 1 root root 1647 Jul 12  2020 chain5.pem
-rw-r--r-- 1 root root 1647 Sep 11  2020 chain6.pem
-rw-r--r-- 1 root root 1647 Sep 18  2020 chain7.pem
-rw-r--r-- 1 root root 1647 Nov 17  2020 chain8.pem
-rw-r--r-- 1 root root 1586 Jan 17  2021 chain9.pem
-rw-r--r-- 1 root root 3465 Mar 18  2021 fullchain10.pem
-rw-r--r-- 1 root root 5629 May 17  2021 fullchain11.pem
-rw-r--r-- 1 root root 5629 Jul 17  2021 fullchain12.pem
-rw-r--r-- 1 root root 5629 Jul 20  2021 fullchain13.pem
-rw-r--r-- 1 root root 5624 Jul 20  2021 fullchain14.pem
-rw-r--r-- 1 root root 5629 Sep 18  2021 fullchain15.pem
-rw-r--r-- 1 root root 5624 Sep 23  2021 fullchain16.pem
-rw-r--r-- 1 root root 5624 Nov 26  2021 fullchain17.pem
-rw-r--r-- 1 root root 5624 Jan 25  2022 fullchain18.pem
-rw-r--r-- 1 root root 5629 Mar 26  2022 fullchain19.pem
-rw-r--r-- 1 root root 3591 Nov 14  2019 fullchain1.pem
-rw-r--r-- 1 root root 5629 Mar 29  2022 fullchain20.pem
-rw-r--r-- 1 root root 5629 May 28  2022 fullchain21.pem
-rw-r--r-- 1 root root 5624 May 31  2022 fullchain22.pem
-rw-r--r-- 1 root root 5629 Jan 11 15:28 fullchain2.pem
-rw-r--r-- 1 root root 3591 Mar 14  2020 fullchain3.pem
-rw-r--r-- 1 root root 3591 May 13  2020 fullchain4.pem
-rw-r--r-- 1 root root 3591 Jul 12  2020 fullchain5.pem
-rw-r--r-- 1 root root 3591 Sep 11  2020 fullchain6.pem
-rw-r--r-- 1 root root 3595 Sep 18  2020 fullchain7.pem
root@tcesrvprpxy01:/etc/letsencrypt/live#
-rw-r--r-- 1 root root 3460 Jan 17  2021 fullchain9.pem
-rw-r--r-- 1 root root 1704 Mar 18  2021 privkey10.pem
-rw-r--r-- 1 root root 1708 May 17  2021 privkey11.pem
-rw-r--r-- 1 root root 1704 Jul 17  2021 privkey12.pem
-rw-r--r-- 1 root root 1704 Jul 20  2021 privkey13.pem
-rw-r--r-- 1 root root 1704 Jul 20  2021 privkey14.pem
-rw-r--r-- 1 root root 1708 Sep 18  2021 privkey15.pem
-rw-r--r-- 1 root root 1704 Sep 23  2021 privkey16.pem
-rw-r--r-- 1 root root 1704 Nov 26  2021 privkey17.pem
-rw-r--r-- 1 root root 1708 Jan 25  2022 privkey18.pem
-rw-r--r-- 1 root root 1704 Mar 26  2022 privkey19.pem
-rw-r--r-- 1 root root 1708 Nov 14  2019 privkey1.pem
-rw-r--r-- 1 root root 1704 Mar 29  2022 privkey20.pem
-rw-r--r-- 1 root root 1708 May 28  2022 privkey21.pem
-rw-r--r-- 1 root root 1704 May 31  2022 privkey22.pem
-rw-r--r-- 1 root root 1704 Jan 11 15:28 privkey2.pem
-rw-r--r-- 1 root root 1704 Mar 14  2020 privkey3.pem
-rw-r--r-- 1 root root 1708 May 13  2020 privkey4.pem
-rw-r--r-- 1 root root 1704 Jul 12  2020 privkey5.pem
-rw-r--r-- 1 root root 1704 Sep 11  2020 privkey6.pem
-rw-r--r-- 1 root root 1704 Sep 18  2020 privkey7.pem
-rw-r--r-- 1 root root 1708 Nov 17  2020 privkey8.pem
-rw-r--r-- 1 root root 1704 Jan 17  2021 privkey9.pem

Can you explain more about this server?

Because it does not look like that Apache config or those /etc/letsencrypt files are in use.

Requests to your domain name tcevisitantes returns information from a Windows IIS server (not Apache).

And, the most recent files in /etc/letsencrypt are very old unusual (see Osiris below). What machine are you using to get the current certs?

curl -i tcevisitantes.tce.es.gov.br
HTTP/1.1 200 OK
Server:
X-Powered-By:
X-ASPNET-VERSION:
X-ASPNETMVC-VERSION:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
3 Likes

There are your most recent certificates. For some reason, Certbot has written them to the incorrect number. I.e.: you'd expect Certbot to count from 22 to 23 and so on. But for some strange reason, it didn't.

Which Certbot version are you running? When asked for the version of your client in the questionnaire, you apparently just copy/pasted the example command you should have run to view the version..

4 Likes

Also, there have been many certs issued recently and they do not appear in /etc/letsencrypt at all. crt.sh shows 7 others for Jan and 12 in Dec.

3 Likes

I suspect, but wouldn't know why, that all those files were written to the same xxx2.pem file, overwriting the previous one.

4 Likes

We're using the certbot 0.28.0

This is newer Certbot 2.2.0 Release

1 Like

0.28.0 is very old. Everything might be fixed by updating, which might require changing to the snap installation method of installing Certbot. See https://certbot.eff.org/ for the instructions generator for your OS/webserver combo.

3 Likes

That's a reasonable idea.

It looks to me like Windows IIS is the main server and proxies HTTP Challenges to Apache.

If IIS is the "main" server the best solution might be to migrate to an ACME Client like Certify The Web (link here) which has built-in integration with IIS.

What do you think?

3 Likes

I don't know anything about IIS, so I wouldn't dare making any recommendation using it. I can only recommend stuff to fix Certbot to be honest :stuck_out_tongue:

4 Likes

Fair enough. I don't know much either except you do some sort of import with pfx files. An ACME client like Certify The Web handles that integration automatically. Certbot does not and I have seen many people struggle with that on this forum.

There may be a good reason why they are doing it this way but it seems more complicated than it needs to be.

3 Likes

The most likely (to me) is that they have only one external IP and they were already using it on IIS.

Definitrely.
It has probably morphed over time into something no one would have designed from the ground up.
Maybe it's time to tear it all down and rebuild it... better.

3 Likes

A post was split to a new topic: Will renewal stop the web service?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.