Hello ! I just try to update Lets Encrypt certificates on my server for one of my domains ( some others give the same error ). I renewed the certificates, restarted nginx, checked the symlinks of the certs, but still an older version is being detected. I would appreciate very much any feedback how I could fix that !
Also check that the file is in a location that is actually being included into the config.
[not too common a problem for nginx (more for apache) - but worth checking into]
I admit, it may happen that on some point in past I screwed up a certificate being issued to two domains, as you can see. But now the webserver should point to new ( and I suppose correct ) certificates, server_names are not overlapping, and nginx -t is fine.
Do you have an idea where I can search for that outdated certificate — and somehow disable it — which is called instead of the new one from certbot ?
I noticed that you are using two different certbot commands: certbot-3.7 and certbot
Do you have multiple versions of certbot installed?
Your certbot command is malformed. You can only use one type of authenticator at a time. If there are any errors shown in the output when you run any of the commands below, please copy-and-paste the command that you executed and the complete output for us to see.
Testing
If you want to use the nginx authenticator: certbot certonly --cert-name peakspirit --nginx -d "peakspirit.de,www.peakspirit.de" --dry-run
If you want to use the webroot authenticator: certbot certonly --cert-name peakspirit --webroot -w /var/www/peakspirit.de/www -d "peakspirit.de,www.peakspirit.de" --dry-run
Live
If you want to use the nginx authenticator: certbot run --cert-name peakspirit -a nginx -d "peakspirit.de,www.peakspirit.de" -i nginx --keep-until-expiring
If you want to use the webroot authenticator: certbot run --cert-name peakspirit -a webroot -w /var/www/peakspirit.de/www -d "peakspirit.de,www.peakspirit.de" -i nginx --keep-until-expiring
Once you've successfully executed one of the live commands above, you should have a new certificate named peakspirit.
You can view your certificates and note their names: certbot certificates
You can delete any unneeded certificates: certbot delete --cert-namename
You can view your certificates again to confirm: certbot certificates
So, your process is missing part of the automation.
You need to incorporate a web server restart/reload after each time a cert is renewed.
This can be done easily with either:
appending --deploy-hook "systemctl reload nginx" to the certbot call
adding a cron job to reload nginx daily; like: 12 3 * * * /bin/systemctl reload nginx.service