It was working fine until yesterday when hte cert expired. Then I run:./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/ -d mydomain.tld`. The output was:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mydomain.tld/fullchain.pem. Your cert
will expire on 2016-09-22. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew all of your certificates, run
"letsencrypt-auto renew"
If you like Certbot, please consider supporting our work by:
I’ve restarted the server but the certificate is still expired. Tried to replace the cert and run ./letsencrypt-auto renew but it says that the cert is not due. Any clues?
Are you sure your new cert is here (/etc/letsencrypt/live/mydomain.tld/fullchain.pem)?. Double check it because maybe your cert is now in /etc/letsencrypt/live/mydomain.tld-xxxx/fullchain.pem where xxxx should be a number like 0001.
Actually the certs are not at /etc/letsencrypt/live/mydomain.tld/. They are links to certs in another directory ../../archive/mydomain.tld/cert4.pem. The content at /etc/letsencrypt/live/mydomain.tld/ is:
root@server:/etc/letsencrypt/live/mydomain.tld# ls -l
total 0
lrwxrwxrwx 1 root root 42 Jun 24 11:48 cert.pem -> ../../archive/mydomain.tld/cert4.pem
lrwxrwxrwx 1 root root 43 Jun 24 11:48 chain.pem -> ../../archive/mydomain.tld/chain4.pem
lrwxrwxrwx 1 root root 47 Jun 24 11:48 fullchain.pem -> ../../archive/mydomain.tld/fullchain4.pem
lrwxrwxrwx 1 root root 45 Jun 24 11:48 privkey.pem -> ../../archive/mydomain.tld/privkey4.pem
So looks like it creates a new filenamexxx.ext file in …/…/archive/mydomain.tld/ for each renew (I’ve tried 3 times). Looking at the archive directory the content is:
root@server:/etc/letsencrypt/archive/mydomain.tld# ls -l
total 48
-rw-r--r-- 1 root root 1805 Mar 25 13:22 cert1.pem
-rw-r--r-- 1 root root 1805 Jun 24 11:31 cert2.pem
-rw-r--r-- 1 root root 1805 Jun 24 11:41 cert3.pem
-rw-r--r-- 1 root root 0 Jun 24 13:04 cert4.pem
-rw-r--r-- 1 root root 1675 Mar 25 13:22 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 24 11:31 chain2.pem
-rw-r--r-- 1 root root 1647 Jun 24 11:41 chain3.pem
-rw-r--r-- 1 root root 0 Jun 24 13:04 chain4.pem
-rw-r--r-- 1 root root 3480 Mar 25 13:22 fullchain1.pem
-rw-r--r-- 1 root root 3452 Jun 24 11:31 fullchain2.pem
-rw-r--r-- 1 root root 3452 Jun 24 11:41 fullchain3.pem
-rw-r--r-- 1 root root 0 Jun 24 13:04 fullchain4.pem
-rw-r--r-- 1 root root 1704 Mar 25 13:22 privkey1.pem
-rw-r--r-- 1 root root 1708 Jun 24 11:31 privkey2.pem
-rw-r--r-- 1 root root 1708 Jun 24 11:41 privkey3.pem
-rw-r--r-- 1 root root 0 Jun 24 13:04 privkey4.pem
Looks like the last renew has a problem. And when I try to run the command to renew again:
An unexpected error occurred:
Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
Please see the logfiles in /var/log/letsencrypt for more details.
I’m not sure how that happened. Certbot performs a number of checks before writing new certificates to prevent breaking things, I haven’t seen this error before.
Try deleting the *4.pem files in archive/ and create new symlinks to *3.pem for every file in /etc/letsencrypt/live/mydomain.tld. (ln -s ../../archive/mydomain.tld/cert3.pem cert.pem, etc.)
That should get nginx working again. I would recommend running ./letsencrypt-auto renew --dry-run afterwards to make sure things will work for your next renewal as well.
@pfg thanks for your help but it didn’t solve the problem.
Following the same idea I removed all the other files (*2 - *3.pem) and just kept *1.pem in archive/mydomain.tld. Changed the links, restarted nginx and - of course - it sais the certificate expired.
Then I run ./letsencrypt-auto renew --dry-run and everything was fine. After thta I run ./letsencrypt-auto renew and got the message Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/mydomain.tld/fullchain.pem (success)
Restarted nginx and still have the message in the browser that the certificate is expired… back to square 1…
If that shows a date 3 months from now, you’re probably looking at a nginx/configuration problem. Make sure your site is actually served by the server block in your first post (and not some other block that, for example, points directly to the now-expired /etc/letsencrypt/archive/mydomain.tld/cert1.pem, check that your nginx is actually restarting, etc.
Yes, the expiration date is correct and the nginx service is restarting correctly according to the logs…
BUT…
There was a nginx daemon running that wasn’t started as a service. Porbably some command line test made ages ago… I’ve killed it and restarted the service and now everything is running fine. Thank you for your help!
