Got expiry notice but can't renew?

A week ago I got expiry emails regarding my certs. I ran “certbot renew” and it told me none of my certs were due for renewal. Today I get expiry emails again. They say I have 0 days until expiration and to renew before then. So I run “certbot renew” again. It STILL tells me my certs are not due for renewal!!! So either the expiry bot that sends out these emails is wrong or the certbot is bugged and won’t let me renew. Either way something is going on here and it’s pissing me off that I can’t renew even when I’m less than a day away from expiration. Can anyone tell me why? Is there a way to force the renewal?

most likely the message is from a cert that you are no longer using.
What is the FQDN in the notice?

You could be right. When I did “certbot renew --force-renewal” there were two certs. The new one I generated with several subdomains (hellhawks.net, www.hellhawks.net, and more). The old one was simply ‘hellhawks.net’ and ‘www.hellhawks.net’. From the looks of it theres “/etc/letsencrypt/renewal/hellhawks.net-0001.conf” (old one) and “/etc/letsencrypt/renewal/hellhawks.net.conf” (new one with the extra subdomains). I guess one of them needs to be cleaned up and removed. What’s the best way to do that?

“certbot certificates” will show you all the certs and their expirations.
“certbot delete --cert-name example.com” will delete a specific cert.
https://crt.sh/?q=hellhawks.net will show you all known certs with “hellhawks.net” anywhere in the SAN list.

1 Like

You can run certbot certificates to be sure of their contents, and then double-check which is used in your web server configuration, e.g.

grep -r /etc/letsencrypt/live /etc/apache2

or

grep -r /etc/letsencrypt/live /etc/nginx

The way to delete one is

certbot delete --cert-name hellhawks.net-0001

(for example), but the reason for checking references in your web server configuration is that deleting a certificate doesn’t do anything to remove references to it in server configurations, so if you delete one that’s in use this way, you’re likely to encounter errors when restarting your web server. However, deleting one that’s not in use at all and that only has a subset of your domain names should be fine.

2 Likes

Well that was simple enough. “sudo certbot delete --cert-name hellhawks.net-0001” cleaned up the old cert. When I run “certbot certificates” now it only shows the new one. Hopefully next time I need a renewal everything works as expected.

1 Like

I can also confirm that apache restarted without any errors and the https links all work correctly. Good to go. Thanks again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.