Certificate Expiry Date Not Changing after renewal (wildcard)

Certificate Expiry Date Not Changing after renewal (wildcard). Basically certificate not getting renewed.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: aiyotta.com
Serial Number: 3985350b0f9119d58b4a35771a17a41ae6f
Key Type: RSA
Domains: *.aiyotta.com
Expiry Date: 2020-12-27 06:21:55+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/aiyotta.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/aiyotta.com/privkey.pem


My domain is:

I ran this command:
certbot certonly -d '*.aiyotta.com' --manual --preferred-challenges dns-01

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for *.aiyotta.com
Performing the following challenges:
dns-01 challenge for aiyotta.com


Please deploy a DNS TXT record under the name
_acme-challenge.aiyotta.com with the following value:

xWxiQqMow25Ho9MENInqviwVjGB8uO1Lr-eQXLRxnc8

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: aiyotta.support@jeeccorp.com).

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/aiyotta.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/aiyotta.com/privkey.pem
    Your cert will expire on 2020-12-27. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):
nginx/1.14.1

The operating system my web server runs on is (include version):
Centos 8.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

2 Likes

Hi @jjuser

that command doesn't restart your webserver? Did you restart?

2 Likes

Thank you very much for your response. Yes. I did restart and did it again now. But nothing changed.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: aiyotta.com
Serial Number: 3985350b0f9119d58b4a35771a17a41ae6f
Key Type: RSA
Domains: *.aiyotta.com
Expiry Date: 2020-12-27 06:21:55+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/aiyotta.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/aiyotta.com/privkey.pem


2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I can attest that you successfully acquired a new certificate two hours ago.

2 Likes

Thank you very much griffin. I could see that the certificate date stamp is today's. But still my website is throwing Certificate Expired Warning and certbot certificates command shows

Expiry Date: 2020-12-27 06:21:55+00:00 (INVALID: EXPIRED)

3 Likes

What say the following?

ls -l /etc/letsencrypt/live/aiyotta.com

ls -l /etc/letsencrypt/archive/aiyotta.com

I strongly suspect that the problem lies with the symlinks in your live directory pointing to your old certificate and private key.

Try running this:

certbot update_symlinks

Then run this again:

certbot certificates

If all looks well, reload your webserver:

nginx -s reload

4 Likes

Thanks a lot Griffin. You saved my day. Your guess was perfect. The symlinks were pointing to old files and now everything is working fine after the update. Great community support.

One final query. Can I go ahead and delete all the old files and directories? FYI, I wasn't using wildcard earlier and so there are unused files and folders now.

Thanks a lot once again.

4 Likes

You're quite welcome!

:blush:

If you're going to delete old certificate files, you should always:

  1. Use certbot certificates to determine the name of the unwanted certificate.
  2. Use certbot delete --cert-name name to delete the unwanted certificate properly.

Never, ever, ever...

  • Manually delete certificate files
  • Delete active certificates
4 Likes

Thanks a lot Griffin.

3 Likes

Whoops :roll_eyes:

I manually tinker in about everything in my certbot directories :wink:

4 Likes

* unless you're @Osiris, in which case playing with matches, gasoline, gunpowder, and batteries in a room filled with tissue paper is acceptable, given that it's for science.

:grin:

3 Likes