Generates already expired certificates

Please fill out the fields below so we can help you better.

My domain is: stats.xolf.info

I ran this command: ./certbot-auto

It produced this output:
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: d2hip.com
2: xlf.li
3: emma.xolf.info
4: inside.xolf.info
5: iris.xolf.info
6: stats.xolf.info
7: store.xolf.info
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):6
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stats.xolf.info
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
Deploying Certificate for stats.xolf.info to VirtualHost /etc/apache2/sites-available/stats.xolf.info-le-ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://stats.xolf.info

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=stats.xolf.info
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/stats.xolf.info/fullchain.pem. Your cert will
   expire on 2016-09-10. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@emma:~# date
Fri Apr  7 08:55:24 UTC 2017

My operating system is: Debian 7

My web server is: Apache2

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

For some reason you are seeing the output for your old certificate. Go to https://crt.sh/ and search for stats.xolf.info. You’ll find that you have received a letsencrypt certificate on 2016-06-12.

That’s true.

I switched to an other certificate provider after the renewal off my Let’s Encrypt certificate fails.

Today I wanted to give Let’s Encrypt another chance (for sure Let’s Encrypt is pretty awesome) and I get an old expired certifcate.

However I ran ./cerbotauto renew and still got an certificate from the past.
Is there a way to fix it?

The renewal worked and you got a new and valid certificate, but your webserver doesn’t use it.
Have a look into:
/etc/apache2/sites-available/stats.xolf.info-le-ssl.conf
First examine the certificate that is referenced in this file:
openssl x509 -in CERTFILE -noout -text
Is the referenced certificate the correct one? If the ceritificate is correct, verify that apache is actually using this configuration. If it is not correct, have a look at the certificates you can find in /etc/letsencrypt/live/stats.xolf.info.

1 Like

All the symlinks /etc/letsencrypt/live/stats.xolf.info pointed to the expired certifcate and doesn’t get changed by the renewal process.

Thank you @xyzzy, ich changed them manually, so it’s working now.

1 Like

That is pretty strange! The renewal process is supposed to update them automatically every time.

If you’re interested in sending us some logs, maybe we could try to figure out why the symlinks didn’t get updated. (For future renewals you might also be able to run with -v to increase the amount of debugging output for this purpose… though I hope you won’t run into this problem in the future.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.