Need help with cert that won't renew

My domain is: weight-loss-center.net

I ran this command:
cd /opt/letsencrypt && /sbin/service httpd stop && ./letsencrypt-auto certonly --standalone --renew-by-default -d weight-loss-center.net -d www.weight-loss-center.net && /sbin/service httpd start

It produced this output:
No output. The certificate appears to have renewed because when I run /opt/letsencrypt/letsencrypt-auto renew the output says The following certs are not due for renewal yet: /etc/letsencrypt/live/weight-loss-center.net/fullchain.pem expires on 2019-09-11 Which is, indeed, three months from the date of renewal. BUT, when I visit the weight-loss-center.net website and click the padlock icon to review the cert info, it still shows a three month period starting in April and ending in June. That is not what I expect. I expect to see a three month period starting in June and ending in September.

My web server is (include version):
Server version: Apache/2.4.39 (cPanel) Server built: May 30 2019 20:14:04

The operating system my web server runs on is (include version):
CentOS release 6.10 (Final)

My hosting provider, if applicable, is:
Handy Networks

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I’m currently unable to determine the version. When I try to get the version using the certbot-auto --version command, I get the following error:
[root@server letsencrypt]# pwd /opt/letsencrypt [root@server letsencrypt]# ls -las certbot-auto 68 -rwxr-xr-x 1 root root 68023 Jun 12 21:37 certbot-auto [root@server letsencrypt]# certbot-auto --version -bash: certbot-auto: command not found

Occasionally I’ve noticed that browsers don’t immediately pull the newest cert, especially when the stored cert is still valid. I’m getting your old cert when I hit your site though :thinking:

About the certbot version, can you try certbot --version?

Edit:
Overlooked the --standalone flag in the question, @JuergenAuer’s answer should fix it

Hi @rwatson_ih

you have created two certificates ( https://check-your-website.server-daten.de/?q=weight-loss-center.net#ct-logs ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
964649051 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-13 03:47:17 2019-09-11 03:47:17 weight-loss-center.net, www.weight-loss-center.net - 2 entries duplicate nr. 2
964645914 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-13 03:45:21 2019-09-11 03:45:21 weight-loss-center.net, www.weight-loss-center.net - 2 entries duplicate nr. 1

But you don’t use one of these, instead, there is the old certificate:

CN=weight-loss-center.net
	02.04.2019
	01.07.2019
expires in 18 days	
weight-loss-center.net, www.weight-loss-center.net - 2 entries

certonly doesn’t install a certificate.

And you use --standalone.

Try something like

./letsencrypt-auto -d weight-loss-center.net -d www.weight-loss-center.net

Certbot should find the certificate and should ask, if you want to install it.

If you use letsencrypt-auto, use

./letsencrypt-auto --version

to find your version.

1 Like

Thanks for verifying that I’m not crazy. :slight_smile: I tried certbot --version but same result.

Here is the output of the ./letsencrypt-auto -d weight-loss-center.net -d www.weight-loss-center.net command:

`[root@server letsencrypt]# ./letsencrypt-auto -d weight-loss-center.net -d www.weight-loss-center.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/weight-loss-center.net.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/apache2/conf/httpd.conf
Deploying Certificate to VirtualHost /etc/apache2/conf/httpd.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Failed redirect for weight-loss-center.net
Unable to set enhancement redirect for weight-loss-center.net
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:

  • We were unable to set up enhancement redirect for your server,
    however, we successfully installed your certificate.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/weight-loss-center.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/weight-loss-center.net/privkey.pem
    Your cert will expire on 2019-09-11. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again with the “certonly” option. To
    non-interactively renew all of your certificates, run
    “letsencrypt-auto renew”`

So I’m guessing that soon I should see the cert expiring in September and not in July like it is now?

The version according to ./letsencrypt-auto --version is ./letsencrypt-auto --version

This appears to have worked on my end, I can see the end date for the cert is now in September

Ah. Now I see that it is expiring in September as I intended. So my final question is, how do I make this happen automatically. I thought that by putting this:

0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew

into crontab that it would do the job each month so I could just stop thinking about it. But it hasn’t been renewing each month as I thought it would. Do I instead use ./letsencrypt-auto -d weight-loss-center.net -d www.weight-loss-center.net in the crontab entry?

Option 1 would be enough. There is a rate limit.

That’s bad, your configuration is buggy.

Now your website uses the new certificate ( https://check-your-website.server-daten.de/?q=weight-loss-center.net ):

Both connections are secure:

Domainname Http-Status redirect Sec. G
http://weight-loss-center.net/
173.248.187.158 301 https://weight-loss-center.net/ 0.453 A
http://www.weight-loss-center.net/
173.248.187.158 301 https://www.weight-loss-center.net/ 0.423 A
https://weight-loss-center.net/
173.248.187.158 200 2.296 B
https://www.weight-loss-center.net/
173.248.187.158 200 2.220 B

The certificate is new.

CN=weight-loss-center.net
	13.06.2019
	11.09.2019
expires in 90 days	
weight-loss-center.net, www.weight-loss-center.net - 2 entries

No. Never add such parameters to your crontab. Only renew.

Unless configured otherwise, the renew command only renews certificates that need to be renewed – by default, those that will expire in less than 30 days.

It’s suggested to run it twice a day at random times of the day, to even out the server load, and so that one transient failure won’t lead to your certificate expiring.

One package’s cron job is similar to:

0 */12 * * * perl -e 'sleep int(rand(43200))' && /opt/letsencrypt/letsencrypt-auto renew

Thanks. What does perl -e 'sleep int(rand(43200))' do in this chained command?

Edit: Oh, I think I get it. That’s the “random times of the day” part, right?

1 Like

Yes, that’s it. :slightly_smiling_face: The cron job runs every 12 hours and sleeps a random amount of time, up to 12 hours, each time.

I’m still experiencing problems with this certificate. I thought it had renewed back in June when I did the renewal process described in this thread. But it expired today. I just ran the renewal process again and now there is a new expire date of October 2019. However, weight-loss-center.net still reports the old certificate. I can’t figure out why it isn’t working. Can you help?

You have a

Server: LiteSpeed

I have no idea how that works. So check the documentation to find the SSL configuration.

And you have created a lot of certificates, one today. But you don’t use it.

You have used certonly, so you have to install the certificate manual.

I have no idea, either. I had been using https://zerossl.com/free-ssl to generate these and was attempting to automate things by installing LE as root on the server, but apparently that creates a whole other setup that my hosting is unable to detect at all. I’m just going to have to use https://zerossl.com/free-ssl forever, I guess. I wish this stuff was easier than this.

There

you had an Apache.

Why is there now a Litespeed running?

Now ( https://check-your-website.server-daten.de/?q=weight-loss-center.net )

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-07-03 2019-10-01 weight-loss-center.net, www.weight-loss-center.net - 2 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-07-03 2019-10-01 weight-loss-center.net, www.weight-loss-center.net - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-07-03 2019-10-01 weight-loss-center.net, www.weight-loss-center.net - 2 entries duplicate nr. 1

you have three certificates, created today.

So certificate creation works. But you must install one of these.

Yes. LiteSpeed must be the web server that WHM is handling certs for when I do this renewal manually through the WHM console. When I do it at the command line, it seems to be doing it using Apache. So, WHM is not showing me that cert when I try to select it in WHM. WHM has some AutoSSL renewal feature, but it doesn’t seem to be set up or working correctly.

You have a WHM?

There

your answer is “No”.

Never mix Control panels with own installed Certbots or other clients. That can’t work.

And if the integrated solution doesn’t work, ask your hoster. Then the WHM has started a rollback -> the old certificate is used again.

Lesson learned. Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.