Certificate expired after date

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Https://be-safe.com

I ran this command:cerbot renew --dry-run

It produced this output: All renewal attempts failde

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.

Problem: The automatic renewal did not take place and the ext certificate expired for a month. And the warning email has been spammed.

And it is impossible to remove it.
How to renew or replace the certificate. SO urgent

Best regards

1 Like

Welcome to the Let's Encrypt Community, Marius :slightly_smiling_face:

I'm sorry to hear that the automated removal did not work. :anguished:

Not sure what you mean here.

Remove what?

How did you get the certificate originally? What is the output of the certbot renewal command?

2 Likes

the warning email has been spammed: Expiration mail from Let's Encrypt Expiry Bot expiry@letsencrypt.org
it is impossible to remove it :Want to replace the certificate, with a new.
How to renew or replace the certificate: The renew failded. What solution to force the renewal.

1 Like

How did you get the certificate originally? What is the output of the certbot renewal command?

With webinoly (nginx)

2 Likes

I'm assuming that the renewal command failed. From the certificate history of be-safe.com, it looks like the automated renewals had been working correctly for some time.

What is the full output of this:

sudo certbot renew --dry-run

2 Likes

Processing /etc/letsencrypt/renewal/be-safe.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for be-safe.com
http-01 challenge for www.be-safe.com
Using the webroot path /var/www/be-safe.com/htdocs for all unmatched domains.
Waiting for verification...
Challenge failed for domain be-safe.com
Challenge failed for domain www.be-safe.com
http-01 challenge for be-safe.com
http-01 challenge for www.be-safe.com
Cleaning up challenges
Attempting to renew cert (be-safe.com) from /etc/letsencrypt/renewal/be-safe.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/be-safe.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/be-safe.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

2 Likes

Based on

I would guess that either your IPv6 address (AAAA record in your DNS) does not point to the same server as your IPv4 address (A record in your DNS) or that your webserver configuration does not respond to requests over IPv6, which Let's Encrypt uses by default. If it won't harm any of your operations, you could simply try removing your AAAA record then attempting the certbot dry run again.

2 Likes

I get no response from the IPv6 address on port 80.
LE will prefer IPv6 over IPv4 when available.

2 Likes

Once the dry run succeeds, we'll also want to take a look at your renewal configuration file. Given that you're using webroot authentication without installation instead of nginx authentication with installation, we need to be sure that you have a --deploy-hook in place to reload your webserver when a new certificate is acquired.

2 Likes

HI.

I found the answer (can help other users)

  • disable ssl with webinoly ( Https inactive)
  • used the delete command: "sudo certbot delete" to remove the orphan files certificates.
  • reactivate ssl with webinoly to have new certificates

Best regards

1 Like

Great to see you've got things working again! And thanks for the how-to regarding webinoly.

That said, my colleagues above do have a fair point: your IPv6 address (2001:41d0:305:2100::864d) isn't responsive on either port 80 nor 443. Even if you've succesfully managed to get a new certificate, I would urge you to fix your IPv6 connectivity, as this might lead to other weird behaviour or perhaps customers not being able to connect to your site.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.