As seen from the output below - it looks like the certificate has renewed. I reload httpd, but sslchecker.com still shows the expiry date to be soon. Other certificates on this server renewed fine using exactly the same method.
Please fill out the fields below so we can help you better.
My domain is: https://springfield.uk.net
I ran this command: certbot renew
It produced this output:
Cert not yet due for renewal
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for springfield.uk.net
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): Centos 7.3.1611
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.
Could you please paste the output of
certbot certificates and the SSL virtual host Apache configuration block for the affected domain? It appears that Apache is not using the correct certificate file.
Thanks for getting back to me.
Certificate Name: springfield.uk.net
Expiry Date: 2017-09-24 07:46:00+00:00 (VALID: 16 days)
Certificate Path: /etc/letsencrypt/live/springfield.uk.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/springfield.uk.net/privkey.pem
CustomLog logs/springfield.uk.net-access_log common
SSLProtocol all -SSLv3 -SSLv2
Sometimes with several virtual hosts certificate files get mixed up, but that looks okay. The only thing wrong with that is the expiry date. You’ve been issued several more recent certificates.
@schoen @bmw @SwartzCr certbot claims to be successfully renewing, and certificates appear in the transparency log. But at least the live symlink isn’t updated, and it looks like they hit the rate limit last week so presumably certbot keeps trying to renew. Not sure what’s going on.
@webbo if you could upload or pastebin your
/var/log/letsencrypt/letsencrypt.log file it may give them some hints, and your
certbot --version as well.
@webbo And also:
ls -AlR /etc/letsencrypt/archive/ /etc/letsencrypt/live/
I’m suspicious something is off with the symlinks.
ls -AlR /etc/letsencrypt/archive/ /etc/letsencrypt/live/
lrwxrwxrwx 1 root root 47 Sep 6 11:04 cert.pem -> …/…/archive/springfield.uk.net-0001/cert1.pem
lrwxrwxrwx 1 root root 48 Sep 6 11:04 chain.pem -> …/…/archive/springfield.uk.net-0001/chain1.pem
lrwxrwxrwx 1 root root 52 Sep 6 11:04 fullchain.pem -> …/…/archive/springfield.uk.net-0001/fullchain1.pem
lrwxrwxrwx 1 root root 50 Sep 6 11:04 privkey.pem -> …/…/archive/springfield.uk.net-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Jun 26 09:46 README
-rw-r–r-- 1 root root 1805 Feb 28 2017 cert1.pem
-rw-r–r-- 1 root root 1805 Sep 6 11:04 cert2.pem
-rw-r–r-- 1 root root 1647 Feb 28 2017 chain1.pem
-rw-r–r-- 1 root root 1647 Sep 6 11:04 chain2.pem
-rw-r–r-- 1 root root 3452 Feb 28 2017 fullchain1.pem
-rw-r–r-- 1 root root 3452 Sep 6 11:04 fullchain2.pem
-rw-r–r-- 1 root root 1704 Feb 28 2017 privkey1.pem
-rw-r–r-- 1 root root 1704 Sep 6 11:04 privkey2.pem
-rw-r–r-- 1 root root 1805 Jun 26 09:46 cert1.pem
-rw-r–r-- 1 root root 1647 Jun 26 09:46 chain1.pem
-rw-r–r-- 1 root root 3452 Jun 26 09:46 fullchain1.pem
-rw-r–r-- 1 root root 1704 Jun 26 09:46 privkey1.pem
I’m a new user so it won’t let me upload the log.
Seems the symlinks are a bit messed, instead of pointing to the last certificates in
/etc/letsencrypt/archive/springfield.uk.net/ are pointing to
/etc/letsencrypt/archive/springfield.uk.net-0001/ and that is strange.
Let’s try to recreate the symlinks, as root do:
tar zcvf letsencrypt-backup-2017-Sep-8.tar.gz /etc/letsencrypt/
ln -s …/…/archive/springfield.uk.net/cert2.pem cert.pem
ln -s …/…/archive/springfield.uk.net/fullchain2.pem fullchain.pem
ln -s …/…/archive/springfield.uk.net/chain2.pem chain.pem
ln -s …/…/archive/springfield.uk.net/privkey2.pem privkey.pem
After that, reload your web server and it should show the renewed cert.
Even if it works, you maybe have more mess there, you should show the contents of
ls -la /etc/letsencrypt/renewal/
And show the contents of the files found there.
Thank you, that worked. certbot certificates now shows the expiry time as 87 days.
renew_before_expiry = 30 days
version = 0.14.1
cert = /etc/letsencrypt/live/springfield.uk.net/cert.pem
privkey = /etc/letsencrypt/live/springfield.uk.net/privkey.pem
chain = /etc/letsencrypt/live/springfield.uk.net/chain.pem
fullchain = /etc/letsencrypt/live/springfield.uk.net/fullchain.pem
archive_dir = /etc/letsencrypt/archive/springfield.uk.net
Options used in the renewal process
authenticator = apache
installer = apache
account = 2e12152352d2f17c8eb51270ad3f8f4d
There aren’t any other conf files there apart from for my other domains which are working.
Thanks for all your help with this.
@webbo, glad it is working fine now.
Your renewal conf looks fine.
I suppose you created your first certificate and then you added a new one for the same domain without expand the first one and that is the reason you had
After that, I think you removed
/etc/letsencrypt/live/springfield.uk.net and renamed /
/etc/letsencrypt/live/springfield.uk.net and that is the reason the symlinks in
/etc/letsencrypt/live/springfield.uk.net/ were pointing to
I think you should have no issues to renew your certs, just remove the old and unused dir
rm -rf /etc/letsencrypt/archive/springfield.uk.net-0001/
Have a nice day.
Yes, that sounds about right.
Appreciate your help.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.