Discrepancy around certificate expiration date

Help
1

When I visit the website in the browser, the browser tells me the certificate expired on 2020-10-11. When I run certbot certificates in the server, I'm told the certificate is valid until 2020-12-11. Does anyone know why this happened and how to fix it? Details below. Thanks.

My domain is: wallabag.theadamcooper.com

I ran this command: I visited the site in a browser.

It produced this output: It tells me the certificate expired on 2020-10-11

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04.5

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2

I also see your certificate has expired, let's see what we can do about that...

What shows?:
certbot certificates
grep -Ri certificate /etc/nginx/

3 
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: theadamcooper.com-0001
Domains: *.theadamcooper.com
Expiry Date: 2020-12-11 07:12:29+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/theadamcooper.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/theadamcooper.com-0001/privkey.pem
Certificate Name: theadamcooper.com
Domains: wallabag.theadamcooper.com subdomain.theadamcooper.com theadamcooper.com
Expiry Date: 2020-11-28 00:21:04+00:00 (VALID: 44 days)
Certificate Path: /etc/letsencrypt/live/theadamcooper.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/theadamcooper.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# grep -Ri certificate /etc/nginx/
/etc/nginx/sites-available/default.bak:# ssl_certificate cert.pem;
/etc/nginx/sites-available/default.bak:# ssl_certificate_key cert.key;
/etc/nginx/snippets/snakeoil.conf:# Self signed certificates generated by the ssl-cert package
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate /etc/letsencrypt/live/theadamcooper.com/fullchain.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com/privkey.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate /etc/letsencrypt/live/theadamcooper.com-0001/fullchain.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com-0001/privkey.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate /etc/letsencrypt/live/theadamcooper.com-0001/fullchain.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com-0001/privkey.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate /etc/letsencrypt/live/theadamcooper.com-0001/fullchain.pem;
/etc/nginx/conf.d/default.conf.bak: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com-0001/privkey.pem;
/etc/nginx/conf.d/default.conf: ssl_certificate /etc/letsencrypt/live/theadamcooper.com/fullchain.pem;
/etc/nginx/conf.d/default.conf: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com/privkey.pem;
/etc/nginx/conf.d/default.conf: ssl_certificate /etc/letsencrypt/live/theadamcooper.com-0001/fullchain.pem;
/etc/nginx/conf.d/default.conf: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com-0001/privkey.pem;
/etc/nginx/conf.d/default.conf: ssl_certificate /etc/letsencrypt/live/theadamcooper.com-0001/fullchain.pem;
/etc/nginx/conf.d/default.conf: ssl_certificate_key /etc/letsencrypt/live/theadamcooper.com-0001/privkey.pem;
4

None of the certs maintained by certbot are expired and all of the certs used by nginx are from that path.
Try restarting nginx:
sudo systemctl restart nginx

5

:tada: That did it! Thank you!

6

So you need to incorporate the restart after each renewal.
This can be done with a --deploy-hook script.
Or a daily/weekly cron job.
Perhaps doing a reload (to be less intrusive) if doing it daily.
sudo systemctl reload nginx

7

Great. Documentation around the deploy hook scripting is a bit thin, so please point me to a doc if you know of one. Otherwise, I will just hack away at it :doughnut: Thanks again!

8

The script is well just a script - like any other executable bash script file.
It can be called directly inline with certbot anything like:
certbot renew --deploy-hook /myscripts/reload.nginx.sh
OR you can make a cron job to call the script or just straight to the command:
systemctl reload nginx

I reload my nginx several times a day with cron:
10 1,7,13,19 * * * /bin/systemctl reload nginx.service

9

You can also just use:

--deploy-hook "sudo systemctl reload nginx"

No need to worry about how often you run the renew since the deployment hook will only be called if a new certificate is actually acquired.

When Certbot detects that a certificate is due for renewal, --pre-hook and --post-hook hooks run before and after each attempt to renew it. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

https://certbot.eff.org/docs/using.html#renewing-certificates