Https says certificate expired. certbot says it's good

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: a-view.org

I ran this command:certbot certonly --cert-name a-view.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not open file: /etc/nginx/sites-enabled/159.65.74.127.conf

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): lewis@neilson-levin.org
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): a-view.org lnotes.a-view.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for a-view.org
http-01 challenge for lnotes.a-view.org
Waiting for verification...
Cleaning up challenges
Could not open file: /etc/nginx/sites-enabled/159.65.74.127.conf

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/a-view.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/a-view.org/privkey.pem
   Your cert will expire on 2018-11-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Here is the confirmation that the cert was updated:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: a-view.org
    Domains: a-view.org lnotes.a-view.org
    Expiry Date: 2018-11-30 15:41:08+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/a-view.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/a-view.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Hi,

Can you please try to open your Nginx virtual host configuration file and reload Nginx afterward?

Since your renewed certificate is saved, but Nginx might not be reloaded…

Thank you

I ran service nginx restart multiple times. The log shows it restarted.

Hi,

Can you share us your website configuration file? (the virtual host file for your site)

Thank you

This is for ssl:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name a-view.org;
    root /var/www/a-view/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/a-view.org/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/a-view.org/a-view.org.key;
    include /etc/nginx/snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

This is for port 80:

server {
    listen 80;
    listen [::]:80;

    server_name a-view.org;
    root /var/www/a-view/ghost/system/nginx-root;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

It used to work but the original certificate expired 8/29.

The renewal worked, but I think that perhaps when I originally configured I had the certs in a different location.

Hi,

Can you please change two lines of this virtual host file?

Please remove the two lines:

ssl_certificate /etc/letsencrypt/a-view.org/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/a-view.org/a-view.org.key;

Please add the following lines:

ssl_certificate /etc/letsencrypt/live/a-view.org/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/a-view.org/privkey.pem

Afterward please reload nginx..

Thank you

1 Like

Hi @lewisl

Your files are fullchain.pem / privkey.pem.

So change your configuration file.

Got to have semi-colons!

That's it.

Is "live" like "sites-available" for nginx?

I guess that the first time I did everything manually and put the certs in a different directory than certbot puts things.

Thanks.

Yup...

The live folder is where let's encrypt put the keys & certificates to (kind of similiar to sites-enabled)

So, I was set up–probably incorrectly–for automatic renewals.

File /etc/cron.d/certbot looks like this:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

I always forget the cron timing codes, but does this look right?
Why didn’t it happen? The file create date is Jul 21, 2018.

Hi,

This looks good....

I'm not sure what's happened....

By the way, could you please check if /run/systemd/system is existed?

Take a look at this please:

Thank you

1 Like

The directory /run/systemd/system exists.

I am not sure what you mean by certbot cron job.

Just above I showed the file for cron.d.

There is also a file called certbot.timer:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

You guys are great. Definitely a donation coming. Best supported open source project/service ever.

1 Like

I just donated to both eff.org and Let’s Encrypt.

Great work.

2 Likes

Hi,

As the cron.d line states, if the system folder exists… It would not execute (I guess that’s why it’s not running correctly)

I actually have no idea about the certbot.timer one as I never used it… But I guess only one of the two need to exist… (Or it might cause conflicts I guess?) (Sorry I never used the timer one before…)

Hope others in this forum could assist you with this (auto run) issue…

Thank you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.