Certificate expired even though it was set to autorenew

My domain is: primary.red

My certificate has expired. It was fine for about 5 months. I was using autorenew so I don’t understand what has happened or how to fix it.

Testing with certbot renew --dry-run says the cert is not due for renewal.

letsencrypt.log is empty

certbot.timer appears to have executed 8hrs ago but the cert expired on the 16th of April.

If anyone can help me troubleshoot this, much appreciated, but if you could keep it simple as I’m not a computer science person that would be great. Thanks

Hi @xenopoly

there is a new certificate created 2019-03-17 ( https://check-your-website.server-daten.de/?q=primary.red ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1306504966 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-17 04:34:38 2019-06-15 03:34:38 primary.red, www.primary.red
2 entries
1114661760 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-01-15 22:55:42 2019-04-15 21:55:42 primary.red, www.primary.red
2 entries
951612849 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-11-16 13:35:20 2019-02-14 13:35:20 primary.red, www.primary.red
2 entries

But you don't use it, instead you use the expired certificate:

CN=primary.red
	16.01.2019
	16.04.2019
6 days expired	
primary.red, www.primary.red - 2 entries

Try

certbot -d primary.red -d www.primary.red

Certbot should find the current certificate and should ask if you want to install it.

Don't create a new certificate, this isn't the problem.

Then share the content of your renew config:

/etc/letsencrypt/renewal

certbot -d primary.red -d www.primary.red
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

renew_before_expiry = 30 days

version = 0.23.0
archive_dir = /etc/letsencrypt/archive/primary.red
cert = /etc/letsencrypt/live/primary.red/cert.pem
privkey = /etc/letsencrypt/live/primary.red/privkey.pem
chain = /etc/letsencrypt/live/primary.red/chain.pem
fullchain = /etc/letsencrypt/live/primary.red/fullchain.pem

content of renew config:

Options used in the renewal process

[renewalparams]
account = 11d9f7b2749813e7d331742df1c570cb
authenticator = webroot
installer = None
[[webroot_map]]
primary.red = /var/lib/letsencrypt
www.primary.red = /var/lib/letsencrypt

I did not run “certbot certonly”

Certbot doesn't understand your system.

What says

certbot --version

Looks like your version is very old.

There is a standard template from Help - what's your webserver configuration?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Edit: Your server answers:

Server: nginx/1.14.0 (Ubuntu)

So you should really update your certbot to use the --nginx option

I think I got it. I’ve run the install commands from certbot.eff.org for my config and added the --nginx option. I’m back up and running now.

Many thanks.

1 Like

With an updated certbot, check your config file.

There

should be

installer = nginx

installer = none -> the certificate is renewed, but not installed.

Yeah, it’s installer = None. What should I do?

Change it to nginx.

That’s the reason the certificate was created, but not installed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.