Certificate expired but reported to be current by certbot


#1

Here’s an SSL report for my site: https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fethereum.karimratib.me%3A9999%2F

It reports that my certificate expired on Tue, 16 Aug 2016 23:13:00 GMT.

However, when I run certbot-auto renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start", I get
`Requesting root privileges to run certbot…
/home/kratib/.local/share/letsencrypt/bin/letsencrypt renew --standalone --pre-hook service nginx stop --post-hook service nginx start


Processing /etc/letsencrypt/renewal/ethereum.karimratib.me.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ethereum.karimratib.me/fullchain.pem (skipped)
No renewals were attempted.
`
which seems to mean certbot considers the certificate to be current.

How can I diagnose this problem?

Thanks,
Karim


#2

The first thing to spring to mind is verify that nginx is using the correct certs in:
/etc/letsencrypt/live/ethereum.karimratib.me/
and not in:
/etc/letsencrypt/archive/ethereum.karimratib.me/

That’s where I’d start. Certbot is generally not wrong about whether renewing is required, but I can’t actually reach your site (I get either “403 forbidden” or “Problem Loading Page”) to see what’s happening.

Where is nginx finding it’s certs?

EDIT: You should always use the certs in “live”. When you renew your certs, they’re stored in “archive” along with all your previous certs. “Live” actually has symlinks pointing to your latest certificates. If you point to the certs in “archive”, you’ll have to manually update nginx every three months!


#3

That was it! The config file was pointing to the certificate files in
archive.

Fixed and it works, thanks so much.

Fwiw, I am serving using jupyter, so the relevant config is located in
~/.jupyter/jupyter_notebook_config.py, under keys c.NotebookApp.certfile
(cert.pem) and c.NotebookApp.keyfile (privkey.pem).


#4

Excellent :slight_smile:

I’m glad it was a nice easy fix!


#5

I’m having this issue too. The command I’m trying is below:

# /root/certbot-auto renew --no-self-upgrade

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mpen.ca.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mpen.ca/fullchain.pem (skipped)
No renewals were attempted.

Nginx shows the exact same .pem file as listed there:

    ssl_certificate /etc/letsencrypt/live/mpen.ca/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mpen.ca/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mpen.ca/fullchain.pem;

What gives? Let’s Encrypt/Certbot has not worked once for me yet. Every 3 months and 2 days I get an email from one of my clients telling me my site doesn’t work because the cert is expired again, and because certbot doesn’t allow us to renew early anymore, I have less than 24 hours to verify my cron works.


#6

If it uses the exact same .pem file, and that file has been updated ( which it sounds like) have you restarted / reloaded nginx ?

I’m confused by this - certbot will, by default, renew when there are 30 days or less before the expiry date.


#7

Oh? I forget where I got my information from. I think some tutorial I was following said I had to put a cron for every 12 hours or so because it wouldn’t renew until just before expiry.

Anyway, I figured out my issue yesterday. It appears it wasn’t actually certbot’s fault. Nginx wasn’t reloading the cert, no matter what I tried, even if I stopped and started the service, it kept serving the same cert. Rebooting my entire server fixed the issue.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.