Certificate what was generated in Cloud Server was not the same in Browser

My domain : hn.redclay.cn
Server : Centos 7
Web Server: nginx
Update method : docker

My domain`s certificate was overdue , then i want to renew,the following is execute procedure:
1.Stop Nginx(close port 80 443 )

2.Revoke certificate
execute command:

docker run -i --rm -p 80:80 -p 443:443 \
    -v /etc/letsencrypt:/etc/letsencrypt -v /usr/backup/letsencrypt_log:/var/log/letsencrypt/ \
    certbot/certbot revoke  --cert-path /etc/letsencrypt/live/hn.redclay.cn/cert.pem \
    --standalone

3.Create certificate
execute command:

docker run -i --rm -p 80:80 -p 443:443 \
    -v /etc/letsencrypt:/etc/letsencrypt -v /usr/backup/letsencrypt_log:/var/log/letsencrypt/\
    certbot/certbot auth \
    --standalone -m wuxiaotao@media-plus.cn --agree-tos \
    -d hn.redclay.cn

command output:

Requesting a certificate for hn.redclay.cn

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/hn.redclay.cn/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/hn.redclay.cn/privkey.pem
This certificate expires on 2023-11-26.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4.download certifcate(file name "cert.pem") in Cloud Server

magicode@MagicodedeMacBook-Pro-4 ~ % openssl x509 -in /Users/magicode/Downloads/letsencrypt./hn.redclay.cn/cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:97:1c:d6:45:48:d0:f4:a5:6b:cf:27:27:4b:8c:0a:ff:75
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Aug 28 03:44:07 2023 GMT
            Not After : Nov 26 03:44:06 2023 GMT
        Subject: CN=hn.redclay.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:30:a5:11:39:7a:27:6f:c1:c3:ac:fe:4b:bd:
                    df:9b:45:f0:2c:19:4b:46:f4:f1:95:7a:8a:d2:bc:
                    7b:01:b8:43:f2:12:8d:54:86:38:e4:2d:b9:17:1a:
                    f8:0e:a5:41:89:76:e8:3e:8c:46:7d:48:e6:23:fd:
                    91:e3:0e:43:fd:34:46:bb:c0:19:80:79:97:fc:66:
                    53:34:d1:29:d6:08:2d:e8:47:40:10:f8:66:eb:67:
                    8e:62:a3:37:8e:b0:5e:9f:ba:9a:b4:18:e4:c0:90:
                    d2:fa:ef:72:4b:be:2a:5f:b7:d0:47:c7:a0:1a:ac:
                    8d:52:e3:ff:19:c1:6a:74:f9:4b:16:e1:d5:73:8a:
                    d3:32:07:0f:f6:54:e7:bf:80:de:c6:de:9f:91:86:
                    48:bb:39:fe:58:ca:9d:64:50:92:c6:30:90:a5:95:
                    76:ca:e0:6b:40:0e:49:cb:a5:9e:49:ad:8f:6b:24:
                    1e:2a:81:65:9d:55:55:7b:a4:c8:bd:c5:4c:af:66:
                    da:d4:93:8e:2a:86:72:65:05:c1:c6:37:bd:ff:db:
                    8c:e3:97:78:5a:a8:f2:09:4c:7b:79:8a:55:39:aa:
                    26:5d:47:a2:b6:5c:aa:a5:9d:39:4a:f6:2f:a2:20:
                    41:4d:4e:5f:f2:7b:bd:a9:5e:79:45:6f:1f:92:20:
                    49:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                88:60:63:EF:64:29:5F:65:A5:D5:DA:46:5F:D8:3D:29:1C:5E:9D:D9
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:hn.redclay.cn
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            1.3.6.1.4.1.11129.2.4.2:
                ......w..>.$..M.u.9..X.l].B.z.5.....%.......:t.......H0F.!...g.E_..5...)y.6?..\*..3.
UK.t...!....$..k....*c.NK.z..u.........`..v..>..>..52.W(..k......k..i.w}m..n....:t.......G0E.!...V..j......d~....kN.>..mmg...=.. ..........>.d....Ohw.e...9.Ty..U
    Signature Algorithm: sha256WithRSAEncryption
         09:fe:a3:3a:ae:f0:b2:c8:8b:61:4c:e7:11:7d:f1:30:e3:9c:
         4e:08:43:f2:e6:ea:1b:d8:dc:db:99:f5:30:c2:cc:92:50:17:
         f6:9d:25:80:a4:1e:31:cc:1e:e2:16:a0:1d:9d:f7:9d:41:5d:
         ac:62:6b:2a:f6:73:79:a2:60:fb:f8:18:e9:c8:fe:d5:24:58:
         9b:0e:7e:db:0f:cc:19:2c:2a:27:4d:3b:39:c0:ce:6e:19:09:
         fe:0c:43:7c:26:13:fa:e9:86:cf:8f:66:d8:8b:77:63:d6:94:
         46:dd:a0:cd:01:ef:29:90:b5:f5:98:eb:99:27:61:ac:5d:9a:
         d6:bd:0f:00:14:e6:40:0b:58:ea:a5:f7:ee:ab:1d:e4:3e:26:
         b9:2a:3a:d4:02:6c:11:c8:e0:ca:a6:ad:5d:b6:0a:34:1c:15:
         4e:48:b4:f0:c1:27:0b:c2:61:7c:d4:0a:c1:22:72:00:09:5f:
         6b:4f:84:04:17:81:4c:32:b2:85:70:30:28:37:6f:3e:d2:df:
         97:d1:ce:c1:df:e8:90:12:0a:38:e8:f7:bb:e6:a9:83:6a:35:
         a0:d5:33:07:5b:25:63:0d:a7:63:30:e1:53:4e:6f:8c:ff:a8:
         87:29:03:a6:90:26:0a:c2:f9:5c:7d:78:9f:d9:03:32:45:10:
         25:ef:5a:37

5. Export domain`s certificate from browser

magicode@MagicodedeMacBook-Pro-4 ~ % openssl x509 -inform der -in /Users/magicode/Downloads/hn.redclay.cn.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:c9:41:95:a5:d2:fb:d0:f3:20:f8:c0:48:d6:97:23:13:c1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: May 27 05:33:46 2023 GMT
            Not After : Aug 25 05:33:45 2023 GMT
        Subject: CN=hn.redclay.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e1:18:8f:30:1e:98:6a:31:e8:c2:d9:4f:4a:67:
                    82:6a:1e:09:8e:40:a6:78:65:ea:c7:a1:0f:28:95:
                    7b:1b:c7:f6:97:42:63:56:bc:ab:40:0c:53:3e:03:
                    67:86:2a:55:5b:ec:5f:29:ec:cf:a1:d9:cb:0c:2f:
                    91:cc:bf:6a:a7:8d:96:77:8d:20:83:1b:0d:74:c6:
                    e0:f6:45:bc:31:9e:53:b9:d5:23:af:45:e9:89:f9:
                    1f:26:54:da:79:47:4a:95:24:25:54:4b:b6:a0:30:
                    bf:2c:bd:56:b7:dc:15:f1:59:7b:af:f7:33:48:ab:
                    1f:8b:f0:58:96:9c:b6:ca:b7:9b:54:38:07:2b:15:
                    3a:cb:9a:65:91:5b:a3:c3:94:38:42:97:6d:b8:29:
                    ea:cc:69:d3:86:be:6b:bf:c3:27:b3:80:08:32:6e:
                    3f:f8:6f:b3:b1:80:9a:d9:62:92:61:ed:5b:e1:37:
                    ca:d0:d2:f7:7f:26:5f:df:11:6d:b7:f0:fd:05:84:
                    a2:8a:f7:35:a3:56:67:8f:19:99:12:9c:f2:29:77:
                    5a:ea:72:52:ca:0c:af:5f:ed:cd:44:79:1e:44:3b:
                    76:1f:2a:40:c5:d2:ea:ec:29:2b:f2:50:65:57:a1:
                    1c:43:ed:ce:72:84:fa:74:85:70:3e:86:ba:70:51:
                    8a:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                AB:16:0A:3E:D1:47:53:73:DA:26:E7:A4:D4:71:12:AB:B3:4A:88:01
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:hn.redclay.cn
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            1.3.6.1.4.1.11129.2.4.2:
                ......w.z2.T..-. .8.R....p2..M;.+.:W.R.R....[........H0F.!..U$..r...K...E+Z.....C..x.2)...W.!..$J.a-.8.(.Pa..I.tk.+..Q.`Oo.....v.....|.....=..>.j.g)]...$...4........[........G0E. u..E....`C.K)..m .Z..X.u
g.-9....!...^g5..jTv/PtS;..9.U{.3....v._..
    Signature Algorithm: sha256WithRSAEncryption
         6e:96:f7:89:31:e7:45:a8:c4:06:2c:2e:86:fa:b8:03:1f:58:
         71:8b:3b:70:61:f1:0a:83:a4:85:f8:ad:49:8f:5e:5a:3e:d9:
         6a:d8:ad:b1:9b:70:78:5d:44:84:8a:69:9f:cd:42:bc:da:48:
         bc:c5:60:e8:aa:9a:ac:50:3c:9e:60:df:da:48:b9:ad:0d:e7:
         ca:36:8a:05:0b:97:05:87:a5:b4:05:6c:a4:e5:2d:c4:a9:54:
         a8:3c:40:88:ce:74:e5:e8:9a:22:d4:58:e8:f5:78:ab:fc:c3:
         03:e6:dd:7b:0b:be:47:8f:78:9f:f5:9a:a2:6f:9c:9f:ae:88:
         b4:a3:6b:7c:48:d6:eb:84:b3:0b:09:59:9d:c7:96:85:f9:88:
         7d:da:3c:b9:12:6f:62:98:2a:7d:b9:eb:7e:cd:de:a3:b4:15:
         14:10:c0:98:e1:be:7a:8b:76:ad:b1:82:4b:1d:a1:15:a8:e2:
         00:f9:e6:06:e5:a0:01:f0:66:5d:f1:42:93:48:b6:30:1e:f5:
         47:42:ec:25:6e:7a:a2:ae:6b:86:8a:d4:39:ed:e4:5a:9c:03:
         53:c8:64:cd:04:a6:8f:4c:79:4b:cb:24:b5:74:61:51:c9:54:
         bb:48:be:9b:ba:bf:28:dc:9e:21:8b:6e:20:99:d4:1a:b6:f3:
         0b:8c:4e:da
  1. why was new generated certificate not the same in browser?
  2. why was certificate generated successfully in cloud server if there was some problem?
  3. how can i find my domain`s certificate in letsencrypt?
  4. and how can i renew certificate successfully?

Thanks!

1 Like

You should have an automated process in place to do this, not executing a manual renewal whenever you see your cert has expired.

Never revoke a certificate.

Because you never told your server software to use the new certificate.

You already have. Now you have to tell your server software to use the new certificate. Since you haven't given us any information about what that software is, there isn't much we can tell you on that score.

5 Likes

thanks for your reply,that is the point.

I forgot to change nginx config file with ssl cert config.

when i add ssl cert config in nginx config file,it works.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.