Certificate renewal was successful but old date still appears on website and certificate checkers

rahmanafzal861 · March 19, 2019, 8:15am

Hi Dear,

I was renewing my certificate and ran below mentioned command which is successfully showing me the your certificate is renewed and showing the latest date but browser is still showing the old date, please have a look on logs.

logs:
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
2019-03-19 06:46:56,519:DEBUG:certbot.storage:Archive directory /etc/letsencrypt/archive/dealer.easyload.it-0001 and live directory /etc/letsencrypt/live/dealer.easyload.it-0001 created.
2019-03-19 06:46:56,519:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/live/dealer.easyload.it-0001/cert.pem.
2019-03-19 06:46:56,520:DEBUG:certbot.storage:Writing private key to /etc/letsencrypt/live/dealer.easyload.it-0001/privkey.pem.
2019-03-19 06:46:56,520:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/live/dealer.easyload.it-0001/chain.pem.
2019-03-19 06:46:56,520:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/live/dealer.easyload.it-0001/fullchain.pem.
2019-03-19 06:46:56,520:DEBUG:certbot.storage:Writing README to /etc/letsencrypt/live/dealer.easyload.it-0001/README.
2019-03-19 06:46:57,982:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/dealer.easyload.it-0001.conf.
2019-03-19 06:46:57,983:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/dealer.easyload.it-0001/fullchain.pem. Your cert will expire on 2019-06-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew”
2019-03-19 06:46:57,984:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

My domain is:dealer.easyload.it

I ran this command: certbot certonly --standalone -d dealer.easyload.it

My web server is (include version): tomcate8

The operating system my web server runs on is (include version): Debian GNU/Linux 8 (jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.10.2

Remember one thing last time i was able to renew the certificate without any issue.

Regards,
Rahman

JuergenAuer · March 19, 2019, 8:24am

Hi @rahmanafzal861

you have created a new certificate

But you don't use it ( https://check-your-website.server-daten.de/?q=dealer.easyload.it ):

CN=dealer.easyload.it
	03.01.2019
	03.04.2019
expires in 15 days	bbtelws.ringmi.it, dealer.easyload.it - 2 entries

Your non www version use that certificate.

But your www version has ipv4 and ipv6:

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
dealer.easyload.it	A	46.165.242.8	yes	1	0
	AAAA		yes
www.dealer.easyload.it	A	46.30.213.99	yes	1	0
	AAAA	2a02:2350:5:101:d8c0:0:5b66:8339	yes

Both www versions use a wrong wildcard certificate:

CN=*.easyload.it
	15.03.2019
	13.06.2019
expires in 86 days	*.easyload.it, easyload.it - 2 entries

That certificate doesn't work with www.dealer.easyload.it, it would work with dealer.easyload.it.

If you use Tomcat, there are additional steps required that your server can use that certificate.

rahmanafzal861 · March 19, 2019, 9:12am

thanks for the response, any work around solution to solve this issue ?

JuergenAuer · March 19, 2019, 9:15am

Create one certificate with both domain names (www and non-www) and use that.

Perhaps your vHost is wrong, a missing ServerAlias (the www-version), so the default vHost is used.

rahmanafzal861 · March 19, 2019, 9:23am

Hi,

dry-run output is as below,

root@localhost:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dealer.easyload.it-0001.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dealer.easyload.it
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem

Processing /etc/letsencrypt/renewal/dealer.easyload.it.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dealer.easyload.it
http-01 challenge for bbtelws.ringmi.it
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0013_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0013_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/dealer.easyload.it-0001/fullchain.pem (success)
/etc/letsencrypt/live/dealer.easyload.it/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Is this below mentioned command will solve my issue.

sudo certbot renew

Regards,
Rahman

system · April 18, 2019, 9:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.