LetsEncrypt Functionality

Hello,
We have a SSL cert that will be expiring in 2 weeks, I wanted to be proactive and renew the cert early.
I renewed the cert below and looks like it passed challenges and renewed.

My question is why is the website still showing the old cert? When running “certbot-auto renew” i get that the new cert is being used and even when renew/reissuing, the website still shows the old cert with the old expiration date. Any suggestions?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
billing.sgvblaw.com

I ran this command:
sudo /usr/local/bin/certbot-auto certonly --apache

It produced this output:
Congratulations! Your certificate and chain have been saved at:

Your key file has been saved at:

Your cert will expire on 2020-05-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew”

My web server is (include version):

The operating system my web server runs on is (include version):

Ubuntu 14

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

1 Like

Short answer:

When you use certbot certonly, you have to manually reload or restart Apache afterwards so that it will notice the new certificate files.

4 Likes

I’d definitely recommend trying out the certbot-auto renew command suggested in this output. It’s really handy!

Also, we actually recommend that you set up your servers to automatically renew certificates 4 weeks before expiry, so in my mind renewing at 2 weeks is actually a little late.

I know there are probably reasons you’re running an older Ubuntu release, but if you can manage it, I’d definitely recommend upgrading to the latest Ubuntu. Ubuntu 14 reached its end of standard support last year, and will reach its end of life by 2022. Notably, it will be hard for you to install and use the latest version of Certbot on Ubuntu 14.

2 Likes

Thanks for the suggestions everybody. On the latest SSL now. Thank you.

1 Like

If you set up a cron job to automatically renew your certificates, you can also set it up to automatically reload Apache.

If I remember correctly, the command to reload Apache on Ubuntu 14.04 or 14.10 is sudo service apache2 graceful.

Assuming I’m correct, you could create a file named /etc/cron.d/certbot-auto and put something like this in it:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root perl -e 'sleep int(rand(43200))' && certbot-auto -q --deploy-hook 'service apache2 graceful' renew

(That would run it twice a day at random times. The renew command doesn’t try to renew your certificates unless they’ll expire soon.)

Edit: I had a brain fart and used a deprecated and possibly misspelled option, --renew-hook.

2 Likes

An alternative to this is to use certbot --apache (in which case Certbot will do that for you, assuming it understands how to deal with your local Apache configuration), or in more unusual or complicated cases creating a --deploy-hook script that performs whatever tasks need to be performed to tell Apache or other services to start using the newly-obtained certificate.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.