My certificate is up to date, but is not working anymore

My domain is:

I ran this command:

  sudo /usr/bin/certbot renew --pre-hook "service haproxy stop" --post-hook "service haproxy start" --renew-hook "/root/haproxy_letsencrypt/"

et :

  sudo /usr/bin/certbot renew --dry-run --pre-hook "service haproxy stop" --post-hook "service haproxy start" --renew-hook "/root/haproxy_letsencrypt/"

It produced this output:

Without --dry-run, certbot renew indicates that the certificate is up to date :

/etc/letsencrypt/live/ expires on 2021-09-04

And it is correctly dated in /etc/letsencrypt/live But the HTTPS connection to the websites do not work.

With the --dry-run option (but not sure this is the issue !!), I obtain :

Renewing an existing certificate
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

My web server is (include version):
HA-Proxy version 1.6.3 2015/12/25

The operating system my web server runs on is (include version):**
Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: myself, on various machines behind HAProxy (which acts as a proxy)

I can login to a root shell on my machine (yes or no, or I don't know)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel) :

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

few details :

My certificate has been correctly renewed, but now the HTTPS access to my websites is not possible

The certificate was renewed on June, +, 2021, successfully as far as I checked.

It is up to date : cerbot renew indicates :

/etc/letsencrypt/live/ expires on 2021-09-04 (skipped)

The certificate is in /etc/letsencrypt/live with the appropriate date, June 6th.

Still, the certificate does not function, for example on :

I already had this problem before, but the solution (removing /etc/haproxy/certs/ and renewing again) is not working this time.

I tried also rebooting, restarting haproxy, and other things, without success.

I am not at all a specialist... so, any help very much appreciated, thanks !!

Thanks in advance,

1 Like

Please show this file:

1 Like

Bienvenue à nouveau dans la Communauté Let's Encrypt, Nicolas :slightly_smiling_face:

Please also show the outputs of:

sudo ls -lRa /etc/letsencrypt
sudo certbot certificates

Please put 3 backticks above and below each output, like this:


This is an entirely different domain name:

than this:

The problem you are currently facing is that your website is still serving the old certificate, which is usually caused by corruption under /etc/letsencrypt, the new certificate not being correctly installed in your webserver, or your webserver not having been reloaded after renewing your certificate.

1 Like

Thanks for asking rg305. Here is the content of /etc/letsencrypt/renewal/ :

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = standalone
account = 96240ca70e8c08700a0f2b1fc8064d06
http01_port = 8888
server =

Thanks for answering Griffin.

For the recursive listing ls -lRa /etc/letsencrypt, I attach a txt file since it is rather long.

For certbot certificates, here they are :

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name:
    Expiry Date: 2021-09-04 17:18:48+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It seems that the active certificate is the latest, renews June 2021 ?

hence, I'd say this option you quote would be the correct one :

or your webserver not having been reloaded after renewing your certificate.

This is an entirely different domain name:

Indeed, but all are served by a unique machine running HaProxy, and the url are rederected by HaProxy on several backends.


1 Like

I don't see the text file. :man_shrugging:

1 Like

problem solved I think.

Though I would be grateful if you could check the new certificate is OK on e.g. and

In fact, it seems that the file in /etc/haproxy/certs/ had not be updated on renew, and still featured the old certificate.

hence, for some reason, my renew hook script, in the command

/usr/bin/certbot renew --renew-hook "/root/haproxy_letsencrypt/"

which is supposed to reinstall the certificate in /etc/haproxy/certs did not run correctly.

This script is rather simpler. Hence, are there known cases when the --renew-hook option fails to trigger the hook script ?

Anyway, thank you very much for you time !


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.