Certificate renewal, same expiration date


#1

I’m trying to renew a certificate using the webroot option. Apparently it succeeds, but I’m left with a certificate that has the exact same expiration date as the currently installed certificate. It happens every time for this particular domain. Other domains renew just fine.

I’m not sure how this is possible. Can anyone offer some insight?


letsencrypt output, as run just now. Notice the expiration date is 14 days into the future, not 90:

x@Piles:~/le$ ./letsencrypt-auto certonly --webroot -w /var/www/x.net/ --keep -d x.net
Updating letsencrypt and virtual environment dependencies…
Requesting root privileges to run with virtualenv: sudo /home/x/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/x.net/ --keep -d x.net
[sudo] password for x:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/x.net/fullchain.pem. Your cert will
    expire on 2016-04-13. To obtain a new version of the certificate in
    the future, simply run Let’s Encrypt again.

  • If you like Let’s Encrypt, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#2

What happens when you’d remove the --keep switch?


#3

Good question!
Exactly the same thing happens.


x@Piles:~/le$ ./letsencrypt-auto certonly --webroot -w /var/www/x.net/ -d x.net
Updating letsencrypt and virtual environment dependencies…
Requesting root privileges to run with virtualenv: sudo /home/x/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/x.net/ -d x.net

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/x.net/fullchain.pem. Your cert will
    expire on 2016-04-13. To obtain a new version of the certificate in
    the future, simply run Let’s Encrypt again.

  • If you like Let’s Encrypt, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#4

Could you run ls -l /etc/letsencrypt/live/x.net /etc/letsencrypt/archive/x.net and paste the output here?

My best guess is that you somehow replaced the symlinks in /etc/letsencrypt/live/ with actual files. This should help confirm it.


#5

They are symlinks, but they don’t quite point to what I expected, they point to a directory with an -0001 suffix. I’m guessing I somehow managed to have two parallel sets of certificates due to messing around in beta. I’m still not sure how this is related to the issue I’m seeing, but it feels like we’re getting warmer. Maybe it’s trying to renew the wrong one.


root@Piles:~# ls -sla /etc/letsencrypt/live/x.net/                                                                                                                                    
total 8                                                                                                                                                                                       
4 drwxr-xr-x 2 root root 4096 Mar 31 12:51 .                                                                                                                                                  
4 drwx------ 7 root root 4096 Feb  5 10:13 ..                                                                                                                                                 
0 lrwxrwxrwx 1 root root   42 Mar 31 12:51 cert.pem -> ../../archive/x.net-0001/cert1.pem                                                                                             
0 lrwxrwxrwx 1 root root   43 Mar 31 12:51 chain.pem -> ../../archive/x.net-0001/chain1.pem                                                                                           
0 lrwxrwxrwx 1 root root   47 Mar 31 12:51 fullchain.pem -> ../../archive/x.net-0001/fullchain1.pem                                                                                   
0 lrwxrwxrwx 1 root root   45 Mar 31 12:51 privkey.pem -> ../../archive/x.net-0001/privkey1.pem                                                                                       
root@Piles:~# ls -sla /etc/letsencrypt/archive/x.net/                                                                                                                                 
total 40                                                                                                                                                                                      
4 drwxr-xr-x 2 root root 4096 Mar 31 10:04 .                                                                                                                                                  
4 drwx------ 8 root root 4096 Jan 21 08:20 ..                                                                                                                                                 
4 -rw-r--r-- 1 root root 1822 Nov  3 19:01 cert1.pem                                                                                                                                          
4 -rw-r--r-- 1 root root 1793 Mar 31 12:51 cert2.pem                                                                                                                                          
4 -rw-r--r-- 1 root root 1675 Nov  3 19:01 chain1.pem                                                                                                                                         
4 -rw-r--r-- 1 root root 1647 Mar 31 12:51 chain2.pem                                                                                                                                         
4 -rw-r--r-- 1 root root 3497 Nov  3 19:01 fullchain1.pem                                                                                                                                     
4 -rw-r--r-- 1 root root 3440 Mar 31 12:51 fullchain2.pem                                                                                                                                     
4 -rw-r--r-- 1 root root 1704 Nov  3 19:01 privkey1.pem                                                                                                                                       
4 -rw-r--r-- 1 root root 1708 Mar 31 12:51 privkey2.pem                                                                                                                                       
root@Piles:~# ls -sla /etc/letsencrypt/archive/x.net-0001/                                                                                                                            
total 24                                                                                                                                                                                      
4 drwxr-xr-x 2 root root 4096 Jan 14 22:41 .                                                                                                                                                  
4 drwx------ 8 root root 4096 Jan 21 08:20 ..                                                                                                                                                 
4 -rw-r--r-- 1 root root 1793 Jan 14 22:41 cert1.pem                                                                                                                                          
4 -rw-r--r-- 1 root root 1675 Jan 14 22:41 chain1.pem                                                                                                                                         
4 -rw-r--r-- 1 root root 3468 Jan 14 22:41 fullchain1.pem                                                                                                                                     
4 -rw-r--r-- 1 root root 1704 Jan 14 22:41 privkey1.pem

#6

The new certificates are most likely in /etc/letsencrypt/archive/x.net/cert2.pem (+ chain2, fullchain2, privkey2).

Try changing the symlinks to the correct files like this:

ln -f -s /etc/letsencrypt/archive/x.net/cert2.pem /etc/letsencrypt/live/x.net/cert.pem

(Repeat for chain2, fullchain2, privkey2)

Reloading your server software should show certificates with the new expiration date afterwards. Renewal should be working without any issues in the future.


#7

I’d check the renewal configuration file in /renewal/ too if I were @drxzcl :slight_smile:


#8

Yes, that was it! Thanks!

The renewal conf looks similar to the other ones, but I’m not positive I understand all (or even most) of the options in there.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.