Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:micromules.com
I ran this command: certbot certonly
It produced this output:
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/micromules.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/micromules.com/privkey.pem
Your cert will expire on 2018-10-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again.
TIMESTAMP LOOKS LIKE ITS UPDATED
[root@buongiorno micromules.com]# ls -l /etc/letsencrypt/live/micromules.com/fullchain.pem
lrwxrwxrwx 1 root root 48 Dec 13 15:32 /etc/letsencrypt/live/micromules.com/fullchain.pem -> …/…/archive/micromules.com-0001/fullchain1.pem
BUT ITS OLD CERT:
[root@buongiorno micromules.com]# openssl x509 -in /etc/letsencrypt/live/micromules.com/fullchain.pem -text -noout | grep GMT
Not Before: Jul 6 14:45:05 2018 GMT
Not After : Oct 4 14:45:05 2018 GMT
Timestamp : Jul 6 15:45:05.250 2018 GMT
Timestamp : Jul 6 15:45:05.450 2018 GMT
[root@buongiorno micromules.com]# date
Thu 13 Dec 15:33:59 GMT 2018
[root@buongiorno micromules.com]#
RAN “certbot certificates”
Found the following certs:
Certificate Name: micromules.com
Domains: micromules.com
Expiry Date: 2018-10-04 14:45:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/micromules.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/micromules.com/privkey.pem
My web server is (include version): apache 2.4.6
The operating system my web server runs on is (include version): Centos 7
My hosting provider, if applicable, is: myself
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
That's a symlink to the wrong directory. The new certificate should have been -- and probably was -- saved in /etc/letsencrypt/archive/micromules.com/. But since the symlink is wrong, Certbot wasn't able to update it to point to the new files.
Can you post "sudo ls -alR /etc/letsencrypt/{archive,live,renewal}/"?
There's a known problem where if you change the targets of links in /etc/letsencrypt/live, or selectively delete files in /etc/letsencrypt, you can get repeated renewals but not have the updates seem to take effect because they're not written to the expected place. We have README files there encouraging people not to try to reorganize those directories because of assumptions that Certbot makes about their structure. I suspect that's the problem here, so the ls command that you asked for should help to confirm what's going on.
I think we need to make Certbot more proactive about detecting this situation and explaining to the user that renewals are broken due to a corrupted /etc/letsencrypt structure. It should be possible for Certbot to detect many of the failure modes.
Thanks for all of you help, I’ve now found the updated certificate and altered the httpd.conf to point to it
/etc/letsencrypt/archive/micromules.com/fullchain2.pem
/etc/letsencrypt/archive/micromules.com/privkey2.pem
Here is the output of ls -alR /etc/letsencrypt/{archive,live,renewal}/ as requested earlier. Thanks
