Privacy error is returned even after renewing the certificate

Hello

On 4th of October 2020, the domain, jpslabo.com, began returning a privacy error for the certificate registered with Let's Encrypt. The certificate had never returned the error before this date and the auto-renewal is configured as recommended by AWS. I also tried manually renewing the certificate as described below with no luck. How can I remove the invalid certificate error from the domain?

My domain is: jpslabo.com

I ran this command: ./certbot-auto certonly and select 1: Apache Web Server plugin (apache)**

It produced this output:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/jpslabo.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/jpslabo.com/privkey.pem
    Your cert will expire on 2021-02-03. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    "certbot-auto renew"

My web server is (include version): AWS EC2 t2.2xlarge

The operating system my web server runs on is (include version): AMI Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Try restarting your apache webserver (not your OS) so that the new certificate is served:

sudo service httpd restart

1 Like

Hi @nutzer

certonly doesn't install the certificate.

So minimal you must restart your webserver. If not, the old certificate is used.

1 Like

Thank you. Rebooting has indeed resolved the error.

Is there a way to prevent the certificate error from happening again?

Add this to your certbot command:

--deploy-hook "sudo service httpd restart"

2 Likes

Thank you, I replaced the line in crontab with the following:

39 1,13 * * * root certbot renew --deploy-hook "sudo service httpd restart"

I'm hoping this fixes the problem for good!

1 Like

You can do that.

You can also run your original certbot command again with the deploy hook and select to acquire another certificate even though you're not near renewal. This will result in using the deploy hook (thus testing it) and updating your renewal configuration. Then your renewal in your crontab is just:

certbot renew

Either way is up to you.