My certificate has multiple domains and all but one are renewed properly. So one domain is expired.
My web server is: nginx/1.14.0
The operating system: Ubuntu 18.04.2 LTS
Certbot: certbot 0.23.0
So “certbot certificates”-command shows me that these certificates are not expired:
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: mail.kilbailu.fi
Domains: kilbailu.fi api.kilbailu.fi attraction.fi dev.kilbailu.fi mail.attraction.fi mail.kilbailu.fi mu.attraction.fi www.attraction.fi www.kilbailu.fi
**Expiry Date: 2019-10-01 03:44:28+00:00 (VALID: 78 days)**
Certificate Path: /etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.kilbailu.fi/privkey.pem
-------------------------------------------------------------------------------
So it is understandable that “certbot renew” doesn’t renew the certificates:
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.kilbailu.fi.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
Yet “api.kilbailu.fi” is expired when visiting https://api.kilbailu.fi/ address with browser. Service nginx is reloaded and restarted multiple times so that new certificates should be in use (all other domains are).
Running “certbot renew --force-renewal” will update certificates properly and without errors:
# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.kilbailu.fi.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kilbailu.fi
http-01 challenge for api.kilbailu.fi
http-01 challenge for attraction.fi
http-01 challenge for dev.kilbailu.fi
http-01 challenge for mail.attraction.fi
http-01 challenge for mail.kilbailu.fi
http-01 challenge for mu.attraction.fi
http-01 challenge for www.attraction.fi
http-01 challenge for www.kilbailu.fi
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem (success)
-------------------------------------------------------------------------------
So now all certificates should be renewed (right?). After restarting nginx “api.kilbailu.fi” is still expired. All other domains are renewed properly. I did not notice anything strange in log files although this is not surprising since there are no errors given the certbot-command. I would have uploaded the log file here but apparently I’m not allowed to do that.
What am I missing?