Certificate renewal was successful but old date still appears on website and certificate checkers


#1

My domain is: monpetitchouphotography.com

I ran this command:

./certbot-auto renew

It produced this output:

Requesting root privileges to run certbot...
  /home/bitnami/.local/share/letsencrypt/bin/letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/monpetitchouphotography.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for monpetitchouphotography.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/monpetitchouphotography.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/monpetitchouphotography.com/fullchain.pem (success)

I ran the command a second time (as root instead) because it didn’t appear to update on the website and got a long list of feedback, ending with:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/monpetitchouphotography.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/monpetitchouphotography.com/fullchain.pem (skipped)
No renewals were attempted.

My operating system is (include version): Not sure…

My web server is (include version): Apache

My hosting provider, if applicable, is: Amazon EC2 instance

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, I did

sudo su root

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

I restarted apache using:

sudo /opt/bitnami/ctlscript.sh restart apache

and it still didn’t help.

I also used this command to see what was in the file, as per the other forums threads that I saw:

openssl x509 -in /etc/letsencrypt/live/monpetitchouphotography.com/cert.pem -text -noout

And I got this (among other things):

Validity
            Not Before: Feb 15 20:05:00 2017 GMT
            Not After : May 16 20:05:00 2017 GMT

The first time I ran the command, when I wasn’t root, I got an error. So now I know for sure it’s been updated but when I check the website, or any other those SSL certificate checkers, the expiration date still says March 7th.

I saw a post about having to restart nginx but I tried a few different restart commands that I found online and none of them worked.


#2

You restarted Apache? And you restarted ngingx? What are you running, both? :stuck_out_tongue:

Anyway, two things:

  • Check your webserver configuration directly. To what certificate is it pointing? Is that file also the new certificate? Or did you copy it and now it isn’t updated?
  • You must point your webserver to fullchain.pem (or cert.pem and chain.pem in another directive, depending on your webserver (Apache of nginx?) and version (<2.4.8 or >=2.4.8 for Apache?). Now your server isn’t serving the full chain, so clients can get problems verifying the chain.

#3

Sorry, command line isn’t my forte, so I just try everything that I see other people suggest in the other topics :slight_smile:

Thanks for the suggestions but I’m a bit lost. What command can I use to find the webserver and version? I installed a Bitnami AMI so it took care of everything for me.

Here’s how i installed LE, let me know what steps I might have omitted.

./certbot-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs -d monpetitchouphotography.com

Then:

sudo cp /etc/letsencrypt/live/monpetitchouphotography.com/cert.pem /opt/bitnami/apache2/conf/server.crt

And:

sudo cp /etc/letsencrypt/live/monpetitchouphotography.com/privkey.pem /opt/bitnami/apache2/conf/server.key

After doing this the SSL certificate showed up on the website and was working. Later on I was trying to update the SSL certificate to add a subdomain to serve images from CloudFront but was encountering issues then realized it was way easier to use Amazon’s SSL instead. I may have complicated things trying to do that.

Now I’m trying to renew it and encountering the issue described above. Thank you for your patience!


#4

Well, you did a manual copy step with those cp commands. Bitname probably has a recent version of Apache, so it would be possible not to point to cert.pem, but to fullchain.pem.

To keep things simple (not to confuse you further with difficult things), I would recommend the next steps:

sudo ln -sf /etc/letsencrypt/live/monpetitchouphotography.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo ln -sf /etc/letsencrypt/live/monpetitchouphotography.com/privkey.pem /opt/bitnami/apache2/conf/server.key

In stead of copying, which would require manually repeat that step every renewal, it just symlinks the paths to each other.

Next, try the following for renewal (won’t do anything now because you renewed recently):

./certbot-auto renew --post-hook "sudo /opt/bitnami/ctlscript.sh restart apache"

#5

Thank you so much. The symlinks worked and it also resolved an error that gtmetrix.com was giving me, so that works now as well! Much appreciate the time you’ve taken to help me out and your patience. Oh, AND https://www.ssllabs.com/ssltest now also gives me an A.


GTmetrix scan error on HTTPS
#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.