How to renew certificate after expiry

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: almurjanholding.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is: cloudflare.com

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @it.infra

there are some checks of your domain - one hour old - https://check-your-website.server-daten.de/?q=almurjanholding.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
almurjanholding.com A yes 1 0
AAAA yes
www.almurjanholding.com Name Error yes 1 0

There is no A record defined. But there are two active wildcards:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-29 2020-03-28 *.almurjanholding.com, almurjanholding.com - 2 entries
Let’s Encrypt Authority X3 2019-12-15 2020-03-14 *.almurjanholding.com, almurjanholding.com - 2 entries

Your answers of the standard template are required.

1 Like

Well, currently there’s no way for you to get a certificate through non-DNS challenge types, because there is no IP address associated with almurjanholding.com nor www.almurjanholding.com. This would be required for the http-01 challenge. It is also required if you want people to surf to your website in the first place, so there’s something really wrong here!

Also, if you use CloudFlare, it’s not 100 % necessary to have a publically trusted certificate on your own server (the “origin” server in CloudFlare terms). See https://www.cloudflare.com/ssl/ for more information, especially the “Origin CA” part.

Hello everybody.
I have the same question/issue (How to renew certificate after expiry)
OS: Ubuntu 18.10
HTTP: Apache/2.4.34 (Ubuntu)
Domain: 8881000.com

I was late to renew my certificate by 8 hours.
I ran this command:

sudo certbot --apache

certbot showed:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/cnc.8881000.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/cnc.8881000.com/privkey.pem
    Your cert will expire on 2020-05-30. To obtain a new or tweaked . . .

more detailed screenshot
https://8881000.com/nc/index.php/s/HK63Rta5oo7ErdR

It is two days now since my certificate has expired
https://www.sslshopper.com/ssl-checker.html#hostname=8881000.com

What am I doing wrong and how can I fix it?
I really need my domain to be back to normal before Monday.

Thank you.

Hi @User8881000,

You have a new certificate but your Apache server isn’t using it. Perhaps you should run sudo service apache2 reload, and also make sure that you didn’t copy the original certificate elsewhere and then configure Apache to use the copy rather than the original location (since the Certbot renewal will place the new certificate at the same path where the old certificate was located).

@User8881000

Could you post the output of “sudo certbot certificates”?

It’s easy :slight_smile:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/8881000.com/cert.pem (are we offline?)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: 8881000.com
Domains: 8881000.com osrss.org www.8881000.com www.osrss.org
Expiry Date: 2020-02-29 21:23:26+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/8881000.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/8881000.com/privkey.pem
Certificate Name: cnc.8881000.com
Domains: 8881000.com cnc.8881000.com www.8881000.com
Expiry Date: 2020-05-30 15:30:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cnc.8881000.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cnc.8881000.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

mp@ubuntu300:~$ sudo ls -l /etc/letsencrypt/live/8881000.com/cert.pem
lrwxrwxrwx 1 root root 35 Dec 1 17:23 /etc/letsencrypt/live/8881000.com/cert.pem -> ../../archive/8881000.com/cert4.pem

Nop… it does not help because I did reboot server twice as soon as released that new certificate does not work.

In the output from sudo certbot certificates, you can see that you have two different certificates:

  • One certificate in /etc/letsencrypt/live/8881000.com, which is expired (you apparently haven’t asked to renew it, or the renewal failed for another reason).
  • One certificate in /etc/letsencrypt/live/cnc.8881000.com, which was successfully renewed and is valid.

These certificates cover different sets of names.

But when we try to connect to https://cnc.8881000.com/, we see that the server shows us the other (expired) certificate, even though that certificate doesn’t cover the cnc subdomain at all. Could you look in your Apache configuration and see why Apache thinks it should use that certificate for the cnc subdomain? It seems like your HTTPS configuration might be the same across all of your subdomains—always pointing at the same certificate—even though you have two different certificates managed by Certbot, which therefore need different Apache configuration settings to reference each one.

1 Like

Looks like the osrss.org domain expired.

@User8881000, if you’re still using that domain name, you need to contact your registrar and renew it fast.

Thank you but my concern right now is about 8881000.com
everything else is secondary.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.