I’m trying to renew a certificate using the webroot option. Apparently it succeeds, but I’m left with a certificate that has the exact same expiration date as the currently installed certificate. It happens every time for this particular domain. Other domains renew just fine.
I’m not sure how this is possible. Can anyone offer some insight?
letsencrypt output, as run just now. Notice the expiration date is 14 days into the future, not 90:
x@Piles:~/le$ ./letsencrypt-auto certonly --webroot -w /var/www/x.net/ --keep -d x.net
Updating letsencrypt and virtual environment dependencies…
Requesting root privileges to run with virtualenv: sudo /home/x/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/x.net/ --keep -d x.net
[sudo] password for x:
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/x.net/fullchain.pem. Your cert will
expire on 2016-04-13. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
If you like Let’s Encrypt, please consider supporting our work by:
x@Piles:~/le$ ./letsencrypt-auto certonly --webroot -w /var/www/x.net/ -d x.net
Updating letsencrypt and virtual environment dependencies…
Requesting root privileges to run with virtualenv: sudo /home/x/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/x.net/ -d x.net
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/x.net/fullchain.pem. Your cert will
expire on 2016-04-13. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
If you like Let’s Encrypt, please consider supporting our work by:
They are symlinks, but they don’t quite point to what I expected, they point to a directory with an -0001 suffix. I’m guessing I somehow managed to have two parallel sets of certificates due to messing around in beta. I’m still not sure how this is related to the issue I’m seeing, but it feels like we’re getting warmer. Maybe it’s trying to renew the wrong one.
root@Piles:~# ls -sla /etc/letsencrypt/live/x.net/
total 8
4 drwxr-xr-x 2 root root 4096 Mar 31 12:51 .
4 drwx------ 7 root root 4096 Feb 5 10:13 ..
0 lrwxrwxrwx 1 root root 42 Mar 31 12:51 cert.pem -> ../../archive/x.net-0001/cert1.pem
0 lrwxrwxrwx 1 root root 43 Mar 31 12:51 chain.pem -> ../../archive/x.net-0001/chain1.pem
0 lrwxrwxrwx 1 root root 47 Mar 31 12:51 fullchain.pem -> ../../archive/x.net-0001/fullchain1.pem
0 lrwxrwxrwx 1 root root 45 Mar 31 12:51 privkey.pem -> ../../archive/x.net-0001/privkey1.pem
root@Piles:~# ls -sla /etc/letsencrypt/archive/x.net/
total 40
4 drwxr-xr-x 2 root root 4096 Mar 31 10:04 .
4 drwx------ 8 root root 4096 Jan 21 08:20 ..
4 -rw-r--r-- 1 root root 1822 Nov 3 19:01 cert1.pem
4 -rw-r--r-- 1 root root 1793 Mar 31 12:51 cert2.pem
4 -rw-r--r-- 1 root root 1675 Nov 3 19:01 chain1.pem
4 -rw-r--r-- 1 root root 1647 Mar 31 12:51 chain2.pem
4 -rw-r--r-- 1 root root 3497 Nov 3 19:01 fullchain1.pem
4 -rw-r--r-- 1 root root 3440 Mar 31 12:51 fullchain2.pem
4 -rw-r--r-- 1 root root 1704 Nov 3 19:01 privkey1.pem
4 -rw-r--r-- 1 root root 1708 Mar 31 12:51 privkey2.pem
root@Piles:~# ls -sla /etc/letsencrypt/archive/x.net-0001/
total 24
4 drwxr-xr-x 2 root root 4096 Jan 14 22:41 .
4 drwx------ 8 root root 4096 Jan 21 08:20 ..
4 -rw-r--r-- 1 root root 1793 Jan 14 22:41 cert1.pem
4 -rw-r--r-- 1 root root 1675 Jan 14 22:41 chain1.pem
4 -rw-r--r-- 1 root root 3468 Jan 14 22:41 fullchain1.pem
4 -rw-r--r-- 1 root root 1704 Jan 14 22:41 privkey1.pem
Reloading your server software should show certificates with the new expiration date afterwards. Renewal should be working without any issues in the future.
