Certificate not actually being renewed

webbo · September 7, 2017, 7:45am

As seen from the output below - it looks like the certificate has renewed. I reload httpd, but sslchecker.com still shows the expiry date to be soon. Other certificates on this server renewed fine using exactly the same method.

Please fill out the fields below so we can help you better.

My domain is: https://springfield.uk.net

I ran this command: certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/governance.thedecurcitrust.co.uk.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/springfield.uk.net.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for springfield.uk.net
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/springfield.uk.net/fullchain.pem

My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): Centos 7.3.1611

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

Patches · September 7, 2017, 2:54pm

Could you please paste the output of certbot certificates and the SSL virtual host Apache configuration block for the affected domain? It appears that Apache is not using the correct certificate file.

webbo · September 8, 2017, 6:53am

Thanks for getting back to me.

certbot certificates:

Certificate Name: springfield.uk.net
Domains: springfield.uk.net
Expiry Date: 2017-09-24 07:46:00+00:00 (VALID: 16 days)
Certificate Path: /etc/letsencrypt/live/springfield.uk.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/springfield.uk.net/privkey.pem

host conf:

<VirtualHost 10.216.0.21:443>
ServerAdmin sysadmin@springfield.uk.net
DocumentRoot /var/www/html/springfield
ServerName springfield.uk.net
ServerAlias www.springfield.uk.net
ErrorLog logs/springfield.uk.net-error_log
CustomLog logs/springfield.uk.net-access_log common
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2
SSLCertificateFile /etc/letsencrypt/live/springfield.uk.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/springfield.uk.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/springfield.uk.net/fullchain.pem

Patches · September 8, 2017, 8:23am

Sometimes with several virtual hosts certificate files get mixed up, but that looks okay. The only thing wrong with that is the expiry date. You’ve been issued several more recent certificates.

@schoen @bmw @SwartzCr certbot claims to be successfully renewing, and certificates appear in the transparency log. But at least the live symlink isn’t updated, and it looks like they hit the rate limit last week so presumably certbot keeps trying to renew. Not sure what’s going on.

@webbo if you could upload or pastebin your /var/log/letsencrypt/letsencrypt.log file it may give them some hints, and your certbot --version as well.

mnordhoff · September 8, 2017, 8:27am

@webbo And also:

ls -AlR /etc/letsencrypt/archive/ /etc/letsencrypt/live/

I’m suspicious something is off with the symlinks.

webbo · September 8, 2017, 9:13am

certbot --version
certbot 0.14.1

ls -AlR /etc/letsencrypt/archive/ /etc/letsencrypt/live/

/etc/letsencrypt/live/springfield.uk.net:
total 4
lrwxrwxrwx 1 root root 47 Sep 6 11:04 cert.pem -> …/…/archive/springfield.uk.net-0001/cert1.pem
lrwxrwxrwx 1 root root 48 Sep 6 11:04 chain.pem -> …/…/archive/springfield.uk.net-0001/chain1.pem
lrwxrwxrwx 1 root root 52 Sep 6 11:04 fullchain.pem -> …/…/archive/springfield.uk.net-0001/fullchain1.pem
lrwxrwxrwx 1 root root 50 Sep 6 11:04 privkey.pem -> …/…/archive/springfield.uk.net-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Jun 26 09:46 README

/etc/letsencrypt/archive/springfield.uk.net:
total 32
-rw-r–r-- 1 root root 1805 Feb 28 2017 cert1.pem
-rw-r–r-- 1 root root 1805 Sep 6 11:04 cert2.pem
-rw-r–r-- 1 root root 1647 Feb 28 2017 chain1.pem
-rw-r–r-- 1 root root 1647 Sep 6 11:04 chain2.pem
-rw-r–r-- 1 root root 3452 Feb 28 2017 fullchain1.pem
-rw-r–r-- 1 root root 3452 Sep 6 11:04 fullchain2.pem
-rw-r–r-- 1 root root 1704 Feb 28 2017 privkey1.pem
-rw-r–r-- 1 root root 1704 Sep 6 11:04 privkey2.pem

/etc/letsencrypt/archive/springfield.uk.net-0001:
total 16
-rw-r–r-- 1 root root 1805 Jun 26 09:46 cert1.pem
-rw-r–r-- 1 root root 1647 Jun 26 09:46 chain1.pem
-rw-r–r-- 1 root root 3452 Jun 26 09:46 fullchain1.pem
-rw-r–r-- 1 root root 1704 Jun 26 09:46 privkey1.pem

I’m a new user so it won’t let me upload the log.

sahsanu · September 8, 2017, 10:58am

Hi @webbo,

Seems the symlinks are a bit messed, instead of pointing to the last certificates in /etc/letsencrypt/archive/springfield.uk.net/ are pointing to /etc/letsencrypt/archive/springfield.uk.net-0001/ and that is strange.

Let’s try to recreate the symlinks, as root do:

cd
tar zcvf letsencrypt-backup-2017-Sep-8.tar.gz /etc/letsencrypt/
cd /etc/letsencrypt/live/springfield.uk.net/
rm *.pem
ln -s …/…/archive/springfield.uk.net/cert2.pem cert.pem
ln -s …/…/archive/springfield.uk.net/fullchain2.pem fullchain.pem
ln -s …/…/archive/springfield.uk.net/chain2.pem chain.pem
ln -s …/…/archive/springfield.uk.net/privkey2.pem privkey.pem

After that, reload your web server and it should show the renewed cert.

Even if it works, you maybe have more mess there, you should show the contents of /etc/letsencrypt/renewal/

ls -la /etc/letsencrypt/renewal/

And show the contents of the files found there.

Cheers,
sahsanu

webbo · September 8, 2017, 12:48pm

Thank you, that worked. certbot certificates now shows the expiry time as 87 days.

cat /etc/letsencrypt/renewal/springfield.uk.net.conf

renew_before_expiry = 30 days

version = 0.14.1
cert = /etc/letsencrypt/live/springfield.uk.net/cert.pem
privkey = /etc/letsencrypt/live/springfield.uk.net/privkey.pem
chain = /etc/letsencrypt/live/springfield.uk.net/chain.pem
fullchain = /etc/letsencrypt/live/springfield.uk.net/fullchain.pem
archive_dir = /etc/letsencrypt/archive/springfield.uk.net

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = 2e12152352d2f17c8eb51270ad3f8f4d

There aren’t any other conf files there apart from for my other domains which are working.

Thanks for all your help with this.

sahsanu · September 8, 2017, 1:10pm

@webbo, glad it is working fine now.

Your renewal conf looks fine.

I suppose you created your first certificate and then you added a new one for the same domain without expand the first one and that is the reason you had /etc/letsencrypt/live/springfield.uk.net and /etc/letsencrypt/live/springfield.uk.net-0001.

After that, I think you removed /etc/letsencrypt/live/springfield.uk.net and renamed /etc/letsencrypt/live/springfield.uk.net-0001 to /etc/letsencrypt/live/springfield.uk.net and that is the reason the symlinks in /etc/letsencrypt/live/springfield.uk.net/ were pointing to /etc/letsencrypt/archive/springfield.uk.net-0001/.

I think you should have no issues to renew your certs, just remove the old and unused dir /etc/letsencrypt/archive/springfield.uk.net-0001/

rm -rf /etc/letsencrypt/archive/springfield.uk.net-0001/

Have a nice day.
sahsanu

webbo · September 8, 2017, 1:10pm

Yes, that sounds about right.

Appreciate your help.

Ollie

system · October 8, 2017, 1:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.