Certificate renew issue

saurabh.patil · 2019-02-06 18:06:00 UTC

My domain is: [redacted]

I ran this command: certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/[redacted].conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for subdomain1.[redacted]
http-01 challenge for [redacted]
http-01 challenge for subdomain2.[redacted]
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/[redacted]/fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/[readacted]/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: nginx

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1

Initially i installed certificate through - certbot --nginx certonly --cert-name [redacted]

following command

Osiris · 2019-02-06 18:25:58 UTC

Your test run was successful. What exactly is the problem you’re running into?

rg305 · 2019-02-07 00:52:39 UTC

That is just a test.

This seems to indicate that you actually need to renew them now for real:

So did they renew or just test renew?
Please show:
certbot certificates

certonly doesn’t modify the config…
[it literally ONLY gets a CERT]

saurabh.patil · 2019-02-07 03:56:38 UTC

Thanks, I m not able to see changes in expiry date after nginx service reload.
So what happended exactly certificate renewed or not

rg305 · 2019-02-07 04:07:10 UTC

Probably NOT: https://crt.sh/?q=[redacted]

To confirm, please show output of:
certbot certificates

saurabh.patil · 2019-02-07 04:09:43 UTC

When I am checking my certificate expiry

Command written in [redacted] folder

openssl x509 -dates -noout -in fullchain.pem

notBefore=Nov 29 04:03:57 2018 GMT
notAfter=Feb 27 04:03:57 2019 GMT

This time is not changing here after nginx
reload

rg305 · 2019-02-07 04:13:36 UTC

This command would be much simpler…

But they should show the same date: 2019.02.27 [21 days from now]

So it seems the command:

Did exactly that; Just a --dry-run TEST.

You need to repeat that without the --dry-run testing.
Try:
certbot renew

Osiris · 2019-02-07 06:16:00 UTC

Did you also run certbot renew without the --dry-run?

Did you point your nginx configuration file to the symbolic links in /etc/letsencrypt/live/{yourhostname}/?

saurabh.patil · 2019-02-07 06:32:44 UTC

i havent tried certbot renew will check

/etc/letsencrypt/live/{yourhostname}/ ?
This i have done

jmorahan · 2019-02-07 12:18:41 UTC

jmorahan · 2019-02-07 12:44:02 UTC