Let's Encrypt Certificate is renewed but browser is still showing old expiry date


#1

Hi,

I renewed Let’s Encrypt Certificate using the ./certbot-auto renew as mentioned in the bitnami SSL guide document on Let’s Encrypt. All commands got executed correctly and the certificate got renewed. However the browser is still showing old expiry date.

Please help me in fixing the same.

Best Regards


#2

Have you tried restarting the webserver so it loads in the new certificate?


#3

Check whether Bitnami is actually pointing to the correct certificate path (under /etc/letsencrypt/live).

grep -R SSLCertificateFile /opt/bitnami/apache2/conf

#4

I already did this. Nothing happened.


#5

I run this command and got following output:

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile “/opt/bitnami/apache2/conf/server-dsa.crt”
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile “/opt/bitnami/apache2/conf/server-ecc.crt”
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile
grep: /opt/bitnami/apache2/conf/server.key.backup: Permission denied
grep: /opt/bitnami/apache2/conf/server.crt: Permission denied
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
grep: /opt/bitnami/apache2/conf/server.crt.backup: Permission denied
grep: /opt/bitnami/apache2/conf/server.key: Permission denied
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateFile “/opt/bitnami/apache2/conf/server-dsa.crt”
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateFile “/opt/bitnami/apache2/conf/server-ecc.crt”
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile


#6

OK well, that’s certainly the problem then.

When Certbot renews certificates, all it does is update the private key and certificate files inside /etc/letsencrypt. It doesn’t “know” about Bitnami.

Your Bitnami Apache configuration should point to the private key, chain and certificate files within /etc/letsencrypt.

For example

SSLCertificateFile /etc/letsencrypt/live/yourdomain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.tld/chain.pem

You can find out what files you have available with

find /etc/letsencrypt/live

#7

I am unable to view the files…getting following output:

/etc/letsencrypt/live
find: `/etc/letsencrypt/live’: Permission denied

Would also like to mention that based on the suggestions in some earlier posts on the same topic, I had used following commands to establish correct symlink:

sudo ln -sf /etc/letsencrypt/live/MYDOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo ln -sf /etc/letsencrypt/live/MYDOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key

However, it also didn’t fix my problem.


#8

All the commands should be run as root.

I think those symlinks should work fine. Did you restart Apache afterwards?

Can you test that the symlink is actually working? The following command should print the main name of your certificate as well as the Let’s Encrypt CA name:

sudo openssl x509 -in /opt/bitnami/apache2/conf/server.crt -noout -subject -issuer

#9

Symlink is working. The command is throwing the correct name of the certificate and Let’s Encrypt CA


#10

Then I see no reason why it wouldn’t be working, assuming apachectl -t reports no errors and you have reloaded Apache.

It’s probably a bit hard to provide further assistance without knowing what the domain is.

Edit: Actually, run the openssl command again and append -dates to the end of it. Run ./certbot-auto certificates for good measure, too. Check the dates.


#11

Finally, the problem is fixed!
Instead of stopping & restarting the server from command line (which was not giving any results), I went to Bitnami and stopped the server from there and then restarted it. I can now see my renewed Lets Encrypt Certificate.

Thanks _az for your support :slight_smile:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.