One certificate not renewed (even with --force-renewal)

My certificate has multiple domains and all but one are renewed properly. So one domain is expired.

My web server is: nginx/1.14.0
The operating system: Ubuntu 18.04.2 LTS
Certbot: certbot 0.23.0

So “certbot certificates”-command shows me that these certificates are not expired:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: mail.kilbailu.fi
    Domains: kilbailu.fi api.kilbailu.fi attraction.fi dev.kilbailu.fi mail.attraction.fi mail.kilbailu.fi mu.attraction.fi www.attraction.fi www.kilbailu.fi
    **Expiry Date: 2019-10-01 03:44:28+00:00 (VALID: 78 days)**
    Certificate Path: /etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.kilbailu.fi/privkey.pem
-------------------------------------------------------------------------------

So it is understandable that “certbot renew” doesn’t renew the certificates:

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.kilbailu.fi.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------

Yet “api.kilbailu.fi” is expired when visiting https://api.kilbailu.fi/ address with browser. Service nginx is reloaded and restarted multiple times so that new certificates should be in use (all other domains are).

Running “certbot renew --force-renewal” will update certificates properly and without errors:

# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.kilbailu.fi.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kilbailu.fi
http-01 challenge for api.kilbailu.fi
http-01 challenge for attraction.fi
http-01 challenge for dev.kilbailu.fi
http-01 challenge for mail.attraction.fi
http-01 challenge for mail.kilbailu.fi
http-01 challenge for mu.attraction.fi
http-01 challenge for www.attraction.fi
http-01 challenge for www.kilbailu.fi
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem (success)
-------------------------------------------------------------------------------

So now all certificates should be renewed (right?). After restarting nginx “api.kilbailu.fi” is still expired. All other domains are renewed properly. I did not notice anything strange in log files although this is not surprising since there are no errors given the certbot-command. I would have uploaded the log file here but apparently I’m not allowed to do that.

What am I missing?

Well, the certificate did renew, because your other domains have had their renewal date pushed forward:

$ openssl s_client -connect mail.kilbailu.fi:443 -showcerts 2>/dev/null | openssl x509 -noout -dates
notBefore=Jul 14 05:19:45 2019 GMT
notAfter=Oct 12 05:19:45 2019 GMT

So the problem is that your nginx virtualhost for api.kilbailu.fi is not using the certificate from /etc/letsencrypt/live/mail.kilbailu.fi.

If you run:

certbot certificates

and compare that list of certificates to your nginx configuration, you may find that api.kilbailu.fi is using a different certificate entirely.

Perhaps also look at:

grep -Ri ssl_certificate /etc/nginx
3 Likes

Yes, you are correct. For some reason I totally missed that.

api.kilbailu.fi nginx conf was:
# SSL Certificates
ssl_certificate /etc/letsencrypt/live/mail.attraction.fi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.attraction.fi/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mail.attraction.fi/fullchain.pem;

Now it is as it should:
# SSL Certificates
ssl_certificate /etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.kilbailu.fi/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mail.kilbailu.fi/fullchain.pem;

After restarting the server everything works. Thank you.

2 Likes