Certificate expired, but certbot says not time for renewal

So here is a screen shot from Outlook showing expired certificate, but certbot response is showing not time for renewal.

2020-08-12470×630 11.8 KB

My domain is: mail.lindows.org

I ran this command: certbot renew

It produced this output:

Cert not yet due for renewal
/etc/letsencrypt/live/mail.lindows.org-0001/fullchain.pem expires on 2020-11-10 (skipped)
Cert not yet due for renewal

My web server is (include version): nginix

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Could you show me what the contents of this file are:

/etc/letsencrypt/renewal/mail.lindows.org-0001.conf

Possibly, Certbot is not configured to automatically reload nginx upon certificate renewal.

Just what @_az said,
If you are running Nginx, to fix the issue for one single time please run sudo systemctl reload nginx.

To fix for all future renewals, please do what @_az suggested above.

@_az & @stevenzhu

Actually, that is a new creation.

I ran certbot -d "mail.lindows.org" to see what would happen. I guess I should delete that

The actual output of renew on my second attempt was:

/etc/letsencrypt/live/mail.lindows.org-0001/fullchain.pem expires on 2020-11-10 (skipped)
/etc/letsencrypt/live/mail.lindows.org/fullchain.pem expires on 2020-10-11 (skipped)

This is what is in /etc/letsencrypt/live/mail.lindows.org/fullchain.pem

-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgISA47+Yp635E81HN2Zi9IpsCGCMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MTMwNTEzMTRaFw0y
MDEwMTEwNTEzMTRaMBsxGTAXBgNVBAMTEG1haWwubGluZG93cy5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiMtGsePwHnDd7kNDn+8JgvP/v6DpG
4KY3znd6dVX4ZjOkYRlbC2Zs5AiXgxMrtAuGmD5jaAse+381cVpcEh9rc9Y/SyKC
iIYiWerw5AgqVUDPfMH161CaCwQ5IR0MAv4qjA0hQW58OaSNxRcxm1nA0IkTp7BS
/q7oHT19WWNmB7JCodQoHv7IUVlRZqJPauRiYptREDY0030Beyf67EEAAIDC5Kbf
/iHONzkr/XXozYswJJVaVMW+AoWAv8H3InbvkrhkMx4NIVPcB9X9V0R5+U79HwBI
9bRZOnzkQ+44ko1cjczpQfIkjdMQZR4avFsQyDrEmujjvtloisQWk4B5AgMBAAGj
ggK4MIICtDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHupqWdjhjGszhXE+NM+DWZF
QayqMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wbgYDVR0RBGcwZYIUbWFpbC5jYWxsY2xpY2tlci5jb22CEW1haWwuZnJl
ZWJpcmQuZ2RughBtYWlsLmxpbmRvd3Mub3JnghVtYWlsLm5ldHNlcnZpc2l0eS5j
b22CEW1haWwudm9jZS5zeXN0ZW1zMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysG
AQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQu
b3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAsh4FzIuizYogTodm+Su5iiUg
Z2va+nDnsklTLe+LkF4AAAFzRs5W8AAABAMASDBGAiEA4TAKJ+u4vSSfYEXlmEtM
6WFtKAuW+xQcPPMakH+osNMCIQCoLC/oPnp2Yq9BPsSzuj3pbzbya5VwhgosRwys
M7fquQB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABc0bOVxsA
AAQDAEYwRAIgI+OSbCvkx5p0SGrhPFgV/bPytlF7DatJLae+Amtoa28CICt3CQm9
u54w9hSPjMY5xsq4soU5TpSmsOZWCfAuHbNlMA0GCSqGSIb3DQEBCwUAA4IBAQBs
tEQ/8GNiyxO2JG8MPUBZb64ispEHwVi1FRDoeQmCDoHO4JmkEL3hM75UUuXidaTC
6XXScdjgG47cu/E+llaqWlBtMCiVegKCGCceVwsOFgQnrzYm6s5hJ9E5O3mLPwQX
ah8Zz0JdUiMiChH+IBL+E1/0HLOo6tF8DN3rbagXgFHG4BffhVj4LdADeDPG5nn9
zak35lel2YcXKkVwnMeCRVTECwOJWvpXSHf3ZtGhEZR7uGCdp1dKjE7cX8jJt/ib
XJQo3av15+CwVoJQ8VfGcxm4sZWAkWwVso5duBa7mRpbT8d0tOYrvK8dYwt5TLP6
bL/HsrWd4utXoPdVbyMg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

What would happen if you run sudo systemctl reload nginx? Looks to me your certificate is renewed but nginx wasn’t asked to pickup the change.

What are the contents of /etc/letsencrypt/renwal/mail.lindows.org.conf, then?

Generally, one of two things need to happen:

• The installer needs to be set to nginx so it automatically installs the certificate to the nginx configuration and reloads the server every renewal. That is typical if you used certbot --nginx. Or
• The configuration contains a deploy hook, something along the lines of systemctl reload nginx, in the case that you originally used certbot certonly.

If neither is the case, that would explain why your certificate isn’t being reloaded upon renewal.

@_az & @stevenzhu

I was able to resolve the issue. It seems I needed to do a server reboot.

I have symbolic links pointing to the Let’s Encrypt certificates which nginix is using, to the mail server wants to use. I guess the email server was still using old certificates. I guess they are held in memory?

Thanks for helping me understand this, and the quick, and helpful responses.

To save you from future issues (This will happen everytime you certificate renew), please do what @_az suggested so you won't need to reload nginx every 2 months.

I am using iRedMail for setup. The developer says to not to use the --nginx

I missed his caveat of

Let's Encrypt cert will expire in 90 days, you must renew it before expired. After renewed, don't forget to restart Postfix/Dovecot/Nginx/Apache to load the new cert files.

I guess I will just have to do daily reloads of those from cron

Thanks again.

That will work. You can alternatively put an executable shell script to reload everything inside the /etc/letsencrypt/renewal-hooks/deploy/ directory, which will be executed at every renewal.

That;s a great tip., and valuable info. Many thanks!

Curse Americans and their backwards mm/dd/yyyy dates.

The most likely problem is that your webserver and certbot are talking about two different certificates. Best case solution: reload the mailserver so it can realise the certificate has been renewed (and tell certbot to do it in the future by adding a --deploy-hook)

This means your command is:

certbot renew {whatewer plugin, or none to read from old runs} \
              --deploy-hook "systemctl reload postfix dovecot nginx apache"

Thanks for that tip!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.