Certificate not getting renewed but is overdue

rurcoasteagle · January 21, 2017, 8:55pm

Hi folks,

I wondered that i was not able to connect to my homepage today. Reason is a overdue certificate.
This is very curious because the certbot is running every month to renew certificates.
So I tried to renew it manually as you can see down here.

Certbot recognizes that the Cert is overdue and tries to renew it, but the new cert is already expired.

So what to do?

My domain is: alexgast.de

I ran this command: /root/certbot/certbot-auto certonly -n --expand --webroot -w /var/www/virtual/alexgast.de/htdocs/ -d alexgast.de -d www.alexgast.de

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for alexgast.de
http-01 challenge for www.alexgast.de
Using the webroot path /var/www/virtual/alexgast.de/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0056_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0056_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/alexgast.de/fullchain.pem. Your cert will
   expire on 2017-01-15. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My operating system is Ubuntu 14.04.5 LTS
My web server is Apache/2.4.7 (Ubuntu)

Osiris · January 21, 2017, 9:04pm

Too bad you don’t have some kind of output of certbot through your cronjob. Also, the proper way to renew would be certbot renew. (Or in your case certbot-auto renew.)

Anyway, you’ve managed to get a new certificate while running certbot manually. You just have to reload your webserver to use the new one.

serverco · January 21, 2017, 9:05pm

You have been obtaining new certificates ( see https://crt.sh/?q=alexgast.de ), I suspect though that you aren’t using the latest one in apache.

Have you reloaded apache since you renewed the cert ?

If you have, then my next suggestion would be checking the apache config to check it’s pointing at the latest cert.

rurcoasteagle · January 21, 2017, 9:11pm

Uhm… that’s interesting. The new cert seems not to be downloaded on my server:

root@taurus /etc/letsencrypt/live/alexgast.de # openssl x509 -in fullchain.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:1f:c9:da:62:82:6b:0c:ca:b9:8b:c9:13:93:fe:4a:f8:24
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Oct 17 08:15:00 2016 GMT
            Not After : Jan 15 08:15:00 2017 GMT
        Subject: CN=alexgast.de
        Subject Public Key Info:

The softlinks in the live-folder do not point to the correct certificate.
They’re pointing to /etc/archive/letsencrypt/archive/alexgast.de-0001/ and the new certificate is lying under alexgast.de (without -0001). I’ll try to correct this manually.

system · February 20, 2017, 9:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.