Created a new certificate instead of renewing

I misread the documentation about renewing and created a new certificate using certbot instead of renewing it. The challenge is completed and certbot says that the certificate is valid. But when I look at my site, it still says the certificate is expired.

When I read the FAQs, I got to understand that the window period is 30 days. But even after 30 days, I could not see the updated certificate. What should be done to overcome this? Any help would be much appreciated.

Hi @subavicky and welcome to the LE community forum :slight_smile:

Here read this topic:

https://community.letsencrypt.org/t/remember-to-reload-your-webserver-after-renewing-your-certificates/144345

Actually just reading the TOPIC TITLE might be enough of a clue to help resolve your problem.

If that doesn't fix it, then you may need to provide more specific information to allow us to help you better:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

I've restarted it also. But no success.

I didn't renew but created a new certificate. Would that cause any problem? I used certbot to create the certificate.

Instead of giving certbot renew, I gave certbot certonly

You should read through the documentation: User Guide — Certbot 1.11.0.dev0 documentation (eff.org)

certonly will only obtain a cert.
It will not install it anywhere.

Hi @subavicky

there is server-side no difference between renew and a new certificate.

A new order is created and executed.

Renew is a client-side thing, so the older parameters are saved and re-used.

All answers of the template @rg305 has shared are required if you want help.

3 Likes

I understand. So both renew and create are same with certbot.

Please find the answers below.

OK let's start by confirming that info with:
certbot certificates
[which will show us all the certs, their domain, and the expiration date on each]

Following is the output,

OCSP check failed for /etc/letsencrypt/live/blenilms.eastus2.cloudapp.azure.com/cert.pem (are we offline?)


Certificate Name: blenilms.eastus2.cloudapp.azure.com
Domains: blenilms.eastus2.cloudapp.azure.com
Expiry Date: 2021-05-04 06:00:23+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/blenilms.eastus2.cloudapp.azure.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blenilms.eastus2.cloudapp.azure.com/privkey.pem

So you have a new certificate. + an Apache.

What says

apachectl -S
2 Likes

This is what I get with apachectl -S

VirtualHost configuration:
*:8080 localhost (/etc/apache2/vhosts.d/app.conf:21)
*:8443 localhost (/etc/apache2/vhosts.d/app.conf:30)
ServerRoot: "/srv/www"
Main DocumentRoot: "/docroot/"
Main ErrorLog: "/var/log/apache2/error_log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/var/run/httpd.pid"
Define: SYSCONFIG
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: SSL
User: name="wwwrun" id=498
Group: name="www" id=486

does this failure has any significance?

Not with your current problem.
Answer the questions asked of you and we will get through this a lot quicker.

I've already given the response

Why isn't there a port 80?

That's required that Certbot has a template to install the certificate.

Create one, then apachectl -S again, if ok, then certbot --reinstall.

1 Like

Are you on the right server?
Please show:
curl -4 ifconfig.co

Do you have any special/irregular NATing?
[like: ext 80 > int 8080 & ext 443 > int 8443]

It is running inside a kubernetes cluster where the 80:8080 port forwarding is done

Also, certbot is not installed on the server where the website is hosted. certbot is installed in a different machine.

where this has to be executed. In my webserver or in the machine where certbot is installed

These are informations required in your first post.

And if you have such a complicated setup, you know how to install a certificate created on a different machine.

If you don't know, use a much simpler setup.

Did you document how you got the cert and how you used the cert (last time)?
This is not the first renewal for this cert:
crt.sh | blenilms.eastus2.cloudapp.azure.com