Certificate Expired Now What

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:Prefer not to post it

I ran this command:certbot certonly --webroot -w /usr/local/www -d xxxx.ddns.net -d www.xxxx.ddns.net

It produced this output:The following errors were reported by the server:

Domain: www.xxxx.ddns.net
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for
www.xxxx.ddns.net

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):nginx/1.12.1

The operating system my web server runs on is (include version):Freenas 11U2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):NO

Hi @NasKar,

This error indicates that www.xxxx.ddns.net does not exist. Remember that this is a separate DNS record from xxxx.ddns.net. Since you didn’t post your domain name, we can’t confirm whether this is correct. However, you should check your DNS configuration.

I had tried to renew and thought it was sucessfull Copy letsencrypt to new server install
It turns out the certificate expired so the site is not reachable now. How can I create a new certificate? Do I have to delete the old letsencrypt directory before issuing the certbot command?

No IP says my ddns expires in 8 days

I eliminated the www.xxxx.ddns.net from the certbot command and got:
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /usr/local/etc/letsencrypt/renewal/xxxx.ddns.net.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

No sure if I should do 2. Surprised it says it’s not expired. May something else is broken?

When I go to the website I get this error in explorer
The website’s security certificate is not yet valid or has expired.
Error Code: DLG_FLAGS_SEC_CERT_DATE_INVALID
Because this site uses HTTP Strict Transport Security, you can’t continue to this site at this time.

So, the reason for the different Certbot behavior in these two cases is probably that your existing certificate covers xxxx.ddns.net but you originally requested a new certificate for both www.xxxx.ddns.net and xxxx.ddns.net. Certbot tried to obtain that new certificate because it would have covered a domain name that your old certificate didn’t.

By contrast, when you only asked for a certificate that covered xxxx.ddns.net (with the www), Certbot noticed that you already have one and that it’s already renewed and not near expiry.

That probably means that you have already renewed your certificate but that the new certificate isn’t being used by your web server. I can give you lots of ways of checking this, but the first step would be to reload your web server (e.g. sudo service apache2 reload or a similar command depending on your OS and web server). Renewals using --webroot do not perform this step for you automatically unless you add a --renew-hook option telling them that they should.

I'm not sure that you're being well-served by setting HSTS on a ddns site when you're not totally comfortable renewing certificates yet.

after doing a service nginx reload the site works. Not sure why I needed to do. Thanks for your help as usual. My site is supposed to autorenew with a script in the /etc/periodic/daily/220.renew.letsencrypt
it contains
#!/bin/sh

/usr/local/bin/certbot renew --quiet --pre-hook “service nginx stop” --post-hook “service nginx start”

If that were having the effect you intended, you wouldn’t be able to renew at all, because --webroot requires that your web server is running! (In that regard it’s the opposite of --standalone, which normally requires that your web server is not running.)

So, either that particular command is not being running automatically, or the hooks aren’t having the effect that you expected.

With --webroot I would normally suggest --renew-hook "service nginx reload" because you just need a reload to pick up the new certificates when they exist. However, I don’t think changing your current command to this command will fix things unless you can also figure out why your current command isn’t working (whether it’s not running at all, or whether the hooks don’t work, or whatever).

So the command: certbot --renew-hook “service nginx reload” would work in the script?
If I run service cron status it says it’s running.
How else could I check if it’s running at all or if the hooks don’t work? Is there a log file to check? Sorry if this is an obvious question.

You could see if the script is running by adding a line like

date >> /tmp/$$

at the end, and then seeing if files get created in /tmp showing the PIDs of the script interpreters and the dates that the script ran.

You could check if the hooks are working by running your renew command from the command line with the addition of --force-renewal (but don’t do this frequently, because it counts against your rate limit unless you also use --dry-run!).

Just a correction, the renew param must be used too:

/usr/local/bin/certbot renew --quiet --renew-hook “service nginx reload”

after adding the code to the script I get a file
-rw-r--r-- 1 root wheel 29 Sep 22 13:32 33935
in the /tmp directory showing it works if I run it manually.

/usr/local/bin/certbot renew --dry-run --force-renewal

Congratulations, all renewals succeeded. The following certs have been renewed:
/usr/local/etc/letsencrypt/live/xxxx.ddns.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

in my script will work going forward?

What command shows me how many days till my cert expires?
Other than waiting till I get an email that my cert is expiring how can I know that my scripts is working?

"/usr/local/bin/certbot certificates" will display the certificates and their expiration dates.

If it's an old version of Certbot that doesn't support that command, you'd want to use the openssl command line tool or similar.

Yes, it should work if your certificate will expire in 30 or less days.

certbot certificates

Great it says I'm valid for 85 days

if I remove the --quiet parameter and run the script
I get:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: nginx reload”

It looks like the forum(?) replaced the regular ASCII quotation marks around service nginx reload with fancy Unicode quotation marks. You need to fix the command.

It should work, don't copy and paste the command, write it by hand.

Also, could you please show the certbot version?.

/usr/local/bin/certbot --version

certbot 0.17.0

Now I get Cert not yet due for renewal

The following certs are not due for renewal yet:
/usr/local/etc/letsencrypt/live/xxxx.ddns.net/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.

Does that mean it will work now?