Certificate renewed but didn't update on server website

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.alliedvaughndam.com

I ran this command:
Ran sudo certbot renew and the certificate renewed and is valid until September 6th. Just did sudo certbot certificate status and got the below message

Found the following matching certs:
Certificate Name: mail.alliedvaughndam.com-0001
Domains: mail.alliedvaughndam.com
Expiry Date: 2024-09-06 11:37:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.alliedvaughndam.com-0001/fullch ain.pem
Private Key Path: /etc/letsencrypt/live/mail.alliedvaughndam.com-0001/privke y.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/mail.alliedvaughndam.com.conf

It produced this output:
Congratulations the certificate has been renewed.
My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 20.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

This is what I see when I verify the certificate was updated on the website:

How can I resolve this problem before the old certificate expires on June 27th? Any help would be greatly appreciated.

Thank You,
Lindsay

Welcome @lkarlin
You have two Certbot cert profiles for what may be the same domain name.

Your Apache probably refers to the cert files in the .../live/...com.conf folder rather than the one that was just renewed .../live/...com-0001.conf

There are a couple ways to "fix" this. Can you start by showing us the two renewal profiles from the /etc/letsencrypt/renewal folder.

And, the Apache VirtualHost for port 443 for this domain. Ideally with 3 backticks around the info so this forum does not remove certain tags due to formatting. Like:
```
apache VirtualHost lines
```

mail.alliedvaughndam.com-0001.conf

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/mail.alliedvaughndam.com-0001
cert = /etc/letsencrypt/live/mail.alliedvaughndam.com-0001/cert.pem
privkey = /etc/letsencrypt/live/mail.alliedvaughndam.com-0001/privkey.pem
chain = /etc/letsencrypt/live/mail.alliedvaughndam.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/mail.alliedvaughndam.com-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = adeea830861059efbfd8c82787b6ef15
rsa_key_size = 4096
pref_challs = http-01,
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

mail.alliedvaughndam.com.conf

renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/mail.alliedvaughndam.com
cert = /etc/letsencrypt/live/mail.alliedvaughndam.com/cert.pem
privkey = /etc/letsencrypt/live/mail.alliedvaughndam.com/privkey.pem
chain = /etc/letsencrypt/live/mail.alliedvaughndam.com/chain.pem
fullchain = /etc/letsencrypt/live/mail.alliedvaughndam.com/fullchain.pem

Where do I find the apache virtual host file? I did a quick search online and found the file should be located in

etc/apache2/sites-available but which file is it?

illkarl@mail:/etc/apache2/sites-available$ ls
000-default.conf            000-default.confmm221121  default-ssl.conf         default-ssl.conf.190410     default-ssl.conf.orig  postfixadmin.conf.190510
000-default.conf.dpkg-dist  000-default.conf.orig     default-ssl.conf.190321  default-ssl.conf.dpkg-dist  postfixadmin.conf      roundcube.conf

By the way, this is our backup mail server. We also get a certificate through LetsEncrypt certbot for our primary mail server and I had no issue renewing that certificate and automatically updating on our webmail website.

Thanks,
Lindsay

Let's take a step back ...

You say this is your backup mail server. Does the public DNS for mail.alliedvaughndam.com point to the IP for this backup server?

Was that the entire contents of .../renewal/mail.alliedvaughndam.com.conf ? Because a key section was missing.

Also show result of this. It will show active Apache conf files

sudo apache2ctl -t -D DUMP_VHOSTS

By the way Certbot 0.40 is very old. Your Ubuntu should easily support the recommended snap install for Certbot which is now at v2.11. This probably isn't causing these problems but there have been numerous improvements since 0.40. Follow the install instructions from here

Here is the information that came up for the command I ran:

VirtualHost configuration:
*:443 mail.alliedvaughndam.com (/etc/apache2/sites-enabled/defa ult-ssl.conf:2)
*:80 is a NameVirtualHost
default server mail.alliedvaughndam.com (/etc/apache2/sites-enabled/000 -default.conf:1)
port 80 namevhost mail.alliedvaughndam.com (/etc/apache2/sites-enabled/ 000-default.conf:1)
port 80 namevhost mail.alliedvaughndam.com (/etc/apache2/sites-enabled/ postfixadmin.conf:1)
port 80 namevhost mail.alliedvaughndam.com (/etc/apache2/sites-enabled/ roundcube.conf:1)

Yes the DNS does point to the backup server. I'm not sure what could have change because this is the first time I had an issue renewing the certificate and updating on the server website. Normally when I renew the certificate for both servers it renews successfully and updates automatically on the websites. This is the first time I have run into an issue like this.

Thanks,
Lindsay

And what about contents of above?

The renewal that worked this time used the --standalone method. That requires exclusive use of port 80. Yet, I see you have Apache configured to use port 80 also.

Did you stop Apache before doing the renewal?

Also please show contents of below as I described earlier (w/3 backticks)

/etc/apache2/sites-enabled/default-ssl.conf

There is also 3 different VirtualHost definitions with the same domain name. Apache does not issue an error for that but it won't give correct results. We will come back to this problem later.

Your mail domain is now using your latest cert so looks like you found the problem. But, you should review your cert config in Apache. Had you followed up with my earlier info requests I could say specifically what you need to change. But, I can make a good guess.

You can see from the SSL Checker site (link here) that you send your "leaf" certificate twice. A common reason is people use the wrong technique for the Apache cert files.

You probably do something like this

SSLCertificateFile    /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

But, the "cert.pem" is already included in the "fullchain.pem" so Apache ends up sending it twice.

With Apache 2.4.8 or later you omit the ChainFile line and just use

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

If your Apache is older than 2.4.8 you should make a plan to update Apache and in the meantime use chain.pem in the ChainFile line instead of fullchain.pem

Yes this is resolved. Thank you for all your help. Really appreciated.

Thanks,
Lindsay

Okay good. Your chain still isn't quite correct. The extra leaf cert may not cause any problems but it is hard to know how every possible TLS client will react.

You should review my last post about the chain.

These are two SSL checkers and both report the same problem

https://www.ssllabs.com/ssltest/analyze.html?d=mail.alliedvaughndam.com&hideResults=on&latest

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.