Manual Cert renewal not working

Hello, I’ve just run certbot-auto -d --manual --preferred-challenges dns certonly to do a DNS verified renewal.
It worked and I got Your certificate and chain have been saved at: /etc/letsencrypt/live/ Your key file has been saved at: /etc/letsencrypt/live/
Great! but I am still getting invalid cert errors in my browser.

Running Apache 2.2.15 and CentOS 6.10

I have restarted my apache service, but that did not help

My vhost file conf file looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot /var/www/html/link/example
    ErrorLog logs/error_log
    CustomLog logs/access_log common

    RewriteEngine on

    RewriteRule ^ /router.php [QSA,L]

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/


Is there something further that needs to be done?


Could you please tell us your real domain name?
This would definitely help us if we know what’s the exact error…

Also, did you also request with If not, that might throw an error when you visit

Thank you

domain is

Hi @truckcrash

the Google-CT shows your new certificate, so that part has worked.

What says

certbot certificates
apachectl configtest
apachectl fullstatus
apachectl -S

I am not familiar with Google-CT, but SSL Labs is reporting my cert is invalid:

Here is the output from those commands:
root|H [~]# certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name:
    Expiry Date: 2019-07-16 23:25:20+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

root|H [~]# apachectl configtest
Syntax OK

root|H [~]# apachectl fullstatus
                                   Not Found

   The requested URL /server-status was not found on this server.


    Apache/2.2.15 (CentOS) Server at localhost Port 80

root|H [~]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost (/etc/httpd/vhost.d/api-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         port 80 namevhost (/etc/httpd/vhost.d/api.conf:1)
Syntax OK

(*removed other domains for brevity)

If you create a certificate, it’s listet in CT-logs.

Yes, you have created a new certificate, but you don’t use it. Instead, you use your old expired certificate ( ):
1 days expired - 1 entry

And there is a bad request - http status 400:

Domainname Http-Status redirect Sec. G -14 10.026 T
Timeout - The operation has timed out 400 1.646 N
Bad Request
Certificate error: RemoteCertificateChainErrors -14 10.050 T
Timeout - The operation has timed out
Visible Content:

So it looks that your configuration doesn’t work, the namevhost api… may not be used. Try to remove (rename) your default server.

But you have two times


I made the default vhost, but that did not work - a certificate error was still shown.


Given that when a security exception is added in the browser to allow it to load does work properly and serves the correct content, I’m inclined to believe it is not a matter of the config file not being loaded. Maybe there is something more nuanced there I am unaware of, but Apache does use that file to know where to serve content from.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.