Certificate renews with old certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:micromules.com

I ran this command: certbot certonly

It produced this output:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/micromules.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/micromules.com/privkey.pem
    Your cert will expire on 2018-10-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again.

TIMESTAMP LOOKS LIKE ITS UPDATED
[root@buongiorno micromules.com]# ls -l /etc/letsencrypt/live/micromules.com/fullchain.pem
lrwxrwxrwx 1 root root 48 Dec 13 15:32 /etc/letsencrypt/live/micromules.com/fullchain.pem -> …/…/archive/micromules.com-0001/fullchain1.pem

BUT ITS OLD CERT:
[root@buongiorno micromules.com]# openssl x509 -in /etc/letsencrypt/live/micromules.com/fullchain.pem -text -noout | grep GMT
Not Before: Jul 6 14:45:05 2018 GMT
Not After : Oct 4 14:45:05 2018 GMT
Timestamp : Jul 6 15:45:05.250 2018 GMT
Timestamp : Jul 6 15:45:05.450 2018 GMT
[root@buongiorno micromules.com]# date
Thu 13 Dec 15:33:59 GMT 2018
[root@buongiorno micromules.com]#

RAN “certbot certificates”
Found the following certs:
Certificate Name: micromules.com
Domains: micromules.com
Expiry Date: 2018-10-04 14:45:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/micromules.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/micromules.com/privkey.pem

My web server is (include version): apache 2.4.6

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Certonly will only get the cert - and nothing else.
Instead try:
certbot renew

then verify it with:
certbot certificates

and then whichever method you use to restart your web service.


#3

That’s a symlink to the wrong directory. The new certificate should have been – and probably was – saved in /etc/letsencrypt/archive/micromules.com/. But since the symlink is wrong, Certbot wasn’t able to update it to point to the new files.

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}/”?

Edit:

By the way, you have a lot of valid certificates:

https://crt.sh/?Identity=%micromules.com&exclude=expired

(They’re listed twice for technical reasons, but still.)

Do you prefer having a certificate for “micromules.com” or "micromules.com and www.micromules.com"?


#4

There’s a known problem where if you change the targets of links in /etc/letsencrypt/live, or selectively delete files in /etc/letsencrypt, you can get repeated renewals but not have the updates seem to take effect because they’re not written to the expected place. We have README files there encouraging people not to try to reorganize those directories because of assumptions that Certbot makes about their structure. I suspect that’s the problem here, so the ls command that you asked for should help to confirm what’s going on.


#5

I think we need to make Certbot more proactive about detecting this situation and explaining to the user that renewals are broken due to a corrupted /etc/letsencrypt structure. It should be possible for Certbot to detect many of the failure modes.


#6

Thanks for all of you help, I’ve now found the updated certificate and altered the httpd.conf to point to it
/etc/letsencrypt/archive/micromules.com/fullchain2.pem
/etc/letsencrypt/archive/micromules.com/privkey2.pem

Here is the output of ls -alR /etc/letsencrypt/{archive,live,renewal}/ as requested earlier. Thanks

[root@buongiorno micromules.com]# ls -alR /etc/letsencrypt/{archive,live,renewal}/
/etc/letsencrypt/archive/:
total 20
drwx------ 5 root root 4096 Sep 17 13:23 .
drwxr-xr-x 9 root root 4096 Dec 13 15:38 …
drwxr-xr-x 2 root root 4096 Sep 17 13:27 micromules.com
drwxr-xr-x 2 root root 4096 Jul 6 16:45 micromules.com-0001
drwxr-xr-x 2 root root 4096 Dec 3 15:36 wiki.twig.tk

/etc/letsencrypt/archive/micromules.com:
total 40
drwxr-xr-x 2 root root 4096 Sep 17 13:27 .
drwx------ 5 root root 4096 Sep 17 13:23 …
-rw-r–r-- 1 root root 2179 Apr 6 2018 cert1.pem
-rw-r–r-- 1 root root 1935 Dec 13 15:32 cert2.pem
-rw-r–r-- 1 root root 1647 Apr 6 2018 chain1.pem
-rw-r–r-- 1 root root 1647 Dec 13 15:32 chain2.pem
-rw-r–r-- 1 root root 3826 Apr 6 2018 fullchain1.pem
-rw-r–r-- 1 root root 3582 Dec 13 15:32 fullchain2.pem
-rw-r–r-- 1 root root 1704 Apr 6 2018 privkey1.pem
-rw-r–r-- 1 root root 1704 Dec 13 15:32 privkey2.pem

/etc/letsencrypt/archive/micromules.com-0001:
total 24
drwxr-xr-x 2 root root 4096 Jul 6 16:45 .
drwx------ 5 root root 4096 Sep 17 13:23 …
-rw-r–r-- 1 root root 2151 Jul 6 16:45 cert1.pem
-rw-r–r-- 1 root root 1647 Jul 6 16:45 chain1.pem
-rw-r–r-- 1 root root 3798 Jul 6 16:45 fullchain1.pem
-rw-r–r-- 1 root root 1704 Jul 6 16:45 privkey1.pem

/etc/letsencrypt/archive/wiki.twig.tk:
total 40
drwxr-xr-x 2 root root 4096 Dec 3 15:36 .
drwx------ 5 root root 4096 Sep 17 13:23 …
-rw-r–r-- 1 root root 2167 Sep 17 13:23 cert1.pem
-rw-r–r-- 1 root root 1927 Dec 3 15:36 cert2.pem
-rw-r–r-- 1 root root 1647 Sep 17 13:23 chain1.pem
-rw-r–r-- 1 root root 1647 Dec 3 15:36 chain2.pem
-rw-r–r-- 1 root root 3814 Sep 17 13:23 fullchain1.pem
-rw-r–r-- 1 root root 3574 Dec 3 15:36 fullchain2.pem
-rw-r–r-- 1 root root 1708 Sep 17 13:23 privkey1.pem
-rw-r–r-- 1 root root 1704 Dec 3 15:36 privkey2.pem

/etc/letsencrypt/live/:
total 20
drwx------ 5 root root 4096 Sep 17 13:23 .
drwxr-xr-x 9 root root 4096 Dec 13 15:38 …
drwxr-xr-x 2 root root 4096 Dec 13 15:32 micromules.com
drwxr-xr-x 2 root root 4096 Apr 6 2018 micromules.com.old
drwxr-xr-x 2 root root 4096 Dec 3 15:36 wiki.twig.tk

/etc/letsencrypt/live/micromules.com:
total 12
drwxr-xr-x 2 root root 4096 Dec 13 15:32 .
drwx------ 5 root root 4096 Sep 17 13:23 …
lrwxrwxrwx 1 root root 43 Dec 13 15:32 cert.pem -> …/…/archive/micromules.com-0001/cert1.pem
lrwxrwxrwx 1 root root 44 Dec 13 15:32 chain.pem -> …/…/archive/micromules.com-0001/chain1.pem
lrwxrwxrwx 1 root root 48 Dec 13 15:32 fullchain.pem -> …/…/archive/micromules.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root 46 Dec 13 15:32 privkey.pem -> …/…/archive/micromules.com-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Jul 6 16:45 README


#7

This may cause a problem when you renew it.
If so, check the /live/ folder for the newest cert.


#8

Yes, this is just a quick fix, until I actually get to understand the directory structure that letsencrypt uses :slight_smile:

George


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.