Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: choclairs.com
I ran this command: sudo certbot --force-renewal -d choclairs.com && sudo certbot certificates
It produced this output:
Found the following certs:
Certificate Name: choclairs.com
Domains: choclairs.com
Expiry Date: 2022-08-28 13:35:57+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/choclairs.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/choclairs.com/privkey.pem
My web server is (include version): apache2
The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 0.40.0
Sammy21:
--force-renewal
Please don't use that option, especially if you don't know what it does or if you don't know when to use it.
Now you've issued 5 certificates yesterday and you're rate limited. You've managed to waste Let's Encrypt resources in doing so. Please don't do that.
Have you reloaded your webserver?
3 Likes
Thank you, I will not use the option for the future use.
I dint used --force-renewal initially, I used this option at the last.
I ran this command in the first instance of try for renewal : sudo certbot renew --apache -d choclairs.com
Yes, I reloaded the webserver. but no luck in loading the renewed certificate.
That was unnecessary, as the certbot certificates
output would have already proven successful renewal. To force that again and again wouldn't change anything, so why do it?
Could you please share the output of the following command:
sudo apachectl -t -D DUMP_VHOSTS
3 Likes
rg305
May 31, 2022, 5:12pm
5
Also, unless you have managed to also delete those five certs, you should still have them (or, at least, still have the last one issued).
Please also show the output of:
certbot certificates
2 Likes
ubuntu@ip-XX-XX-XX-XXX:~$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 choclairs.com (/etc/apache2/sites-enabled/choclairs-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server ip-XX-XX-XX-XXX.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost ip-XX-XX-XX-XXX.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost choclairs.com (/etc/apache2/sites-enabled/choclairs.conf:1)
alias www.choclairs.com
No, I didn't deleted the newly issued certificates.
ubuntu@ip-XX-XX-XX-XX:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: choclairs.com
Domains: choclairs.com
Expiry Date: 2022-08-28 13:35:57+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/choclairs.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/choclairs.com/privkey.pem
rg305
May 31, 2022, 5:20pm
8
Just noticed:
Two names:
One name:
Also, one name:
Do you need to cover both names?
2 Likes
rg305
May 31, 2022, 5:22pm
9
Also noticed four different IPs:
Name: choclairs.com
Addresses: 13.248.193.178
76.223.8.95
Name: www.choclairs.com
Addresses: 2a05:d018:642:4300::a
54.154.35.170
2 Likes
No, Initially we thought of covering both www & non-www.
Certs only cover non-www and generated for : choclairs.com
www.choclairs.com is mentioned as ServerAlias in apache conf.
rg305
May 31, 2022, 5:26pm
11
OK, even for the single/base name, I see two IPs:
Are both IPs reaching the same server?
1 Like
Yes, both reach to the same server.
rg305
May 31, 2022, 5:30pm
13
Please show:
ps -ef | grep -i apache | grep -v grep
2 Likes
ubuntu@ip-XX-XX-XX-XX:~$ ps -ef | grep -i apache | grep -v grep
root 565248 1 0 17:02 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 565249 565248 0 17:02 ? 00:00:09 /usr/sbin/apache2 -k start
www-data 565250 565248 0 17:02 ? 00:00:07 /usr/sbin/apache2 -k start
rg305
May 31, 2022, 5:38pm
15
That output looks correct.
Please show this file:
2 Likes
/etc/apache2/sites-enabled/choclairs-le-ssl.conf -
<VirtualHost *:443>
ServerName choclairs.com
ServerAlias www.choclairs.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/choclairs.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/choclairs.com/privkey.pem
</VirtualHost>
Osiris
May 31, 2022, 5:57pm
17
What command did you use to reload Apache? And what was the output?
2 Likes
Hey Guys,
Thank you for the time and effort you all have dedicated to understand the root cause for the issue and provide the suitable solution.
I have found the issue, Our Architecture is deployed in AWS and designed as : Web Traffic -> Global Accelerator -> Load balancer -> WebServer
Previously issued SSL certificate (which got expired) was imported into ACM of AWS and traffic is routed through Load Balance Listener : HTTPS and using the imported cert of ACM.
We assumed that, we had changed the architecture and deactivated the SSL usage via Load Balancer & ACM but unfortunately we didn't, which created a total confusion.
Now, we have reimported the updated (renewed) certificate & the browser started loading the new certificate with updated validity.
Apologies for the inconvenience.
Thank you.
Cheers!
2 Likes
Osiris
May 31, 2022, 7:16pm
19
Can you perhaps script that updating process? If so you could have that script run as a --deploy-hook
in Certbot.
3 Likes
sudo systemctl reload apache2