Delete and new certificate procedure

I had some expired domains (not certbot, but not paying the registration fee), so when I got intermittent errors or warnings after a certbot renew, I deleted all my previous certificates with certbot delete and then created new ones with certbot certonly at the webroot. I created/entered cfr.pub,www.cfr.pub on the prompt.

https://cfr.pub/ is just one example. (Output below.) Remarkably, https://www.cfr.pub is not complaining, but https://cfr.pub is.

Safari tells me that X "www.cfr.pub" certificate name does not match input. It doesn't seem to be the right certificate any longer, either, because my new certificate expires 12/29, but this one tells me 12/17. Presumably, this is the pre-deletion certificate.

certbot output is below.

Questions:

[1] Can I ask the certbot CLI client to check whether the new certificate has replaced the old certificate? Or to make sure that all traces of my 12/17 certificates are eradicated, at least on the letsencrypt trusted authority?

[2] Can I ask certbot to check essentially how a web browser would ascertain that everything is ok? Something like # certbot check https://www.cfr.pub ? I could run this on my client linux computer, too, not just on the server itself.

[3] Do I need to update the DNS TXT record now? Is there something else I need to do? Should I expect results to be instant, or does it take a few hours to percolate around the web? Or, could the browser be confused and require some sort of refresh now to update my web certificate?

[4] apt on ubuntu 22.04.3 tells me that 1.21.0 is the latest client. Is this the one I should be using?

Advice very much appreciated.

regards,

/iaw


My domain is: cfr.pub

I ran this command:

# certbot certificates

It produced this output:

Certificate Name: cfr.pub
Serial Number: 39...[deleted]...46e
Key Type: RSA
Domains: cfr.pub www.cfr.pub
Expiry Date: 2023-12-29 19:08:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cfr.pub/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cfr.pub/privkey.pem

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 22.04.3 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

certbot certificates

echo | openssl s_client -connect example.com:443

Are you using dns-01? Have you reloaded your webserver?

You could use snap if you want a newer version, but if ain't broken...

4 Likes

Thank you very much. The critical error I made was not to restart the webserver. nginx does not reload the /etc/letsencrypt/live/ certificates.

on reboot, nginx did not restart, but once I looked at systemctl status nginx on a terminal that was 300 characters wide, nginx gave a great configuration error, pointing me to the letsencrypt /live/ files having been changed.

so, I also had to fix them in the /etc/nginx/sites-enabled/* configuration files, because I had renamed the certificates. but now everything is fine. 9peppe --- mille grazie to you.

The macos utility brew has a very, very nice feature: brew doctor , which checks all sorts of problems.

1 Like

did you rename stuff in /etc/letsencrypt or did you just get new certificates with another name?

don't rename stuff in that directory. it will break certbot.

4 Likes

You can force the name to be used with "--cert-name".
Like:
certbot certonly --cert-name MyCertName -d cfr.pub -d www.cfr.pub

3 Likes

I just edited the /etc/nginx/sites-enabled/ files, and everything worked like a charm...

thanks everyone.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.