Problem with Certbot renew

Joshua · October 26, 2020, 8:27am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.gemeinde-trierweiler.de

I ran this command: certbot certonly www.gemeinde-trierweiler.de / certbot certonly gemeinde-trierweiler.de

It produced this output: Congratulations! Your Certificate has been renewed

My web server is (include version):

The operating system my web server runs on is (include version): Debian GNU/Linux 5

My hosting provider, if applicable, is: strato.de

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

--

So my problem is that if I run certbot certonly gemeinde-trierweiler.de he gives me a positive output that my certficate has been successfully renewed, but if I visit the site, there's still the old certificate. Maybe I'm doing something really wrong. Certbot saves the certficate in a specific path, yet I don't know anymore what to do else. Thank you for your help

JuergenAuer · October 26, 2020, 8:31am

Hi @Joshua

certonly doesn't install and restart your webserver.

Did you restart your webserver?

Joshua · October 26, 2020, 8:40am

Tried that aswell already, I tried something else now... I just selected the temporary webserver option, let me restart it real quick again ...

Sorry, I am kind of new to certbot and stuff..

Thank you for your reply!

griffin · October 26, 2020, 8:46am

Welcome to the Let's Encrypt Community

You've already successfully acquired a certificate, so acquiring another one a different way will not help.

We need to fix your installation of the certificate.

Complete Certificate History

Joshua · October 26, 2020, 8:53am

Thank you very much!

How can we fix the certificate installation?

Thank you so much for your help.

griffin · October 26, 2020, 8:54am

Please try using this command:
certbot run --apache -d "www.gemeinde-trierweiler.de,gemeinde-trierweiler.de" --keep-until-expiring

Note: Your most recent certificate included www.gemeinde-trierweiler.de, but did not include gemeinde-trierweiler.de, which may cause you problems. We can fix that too.

JuergenAuer · October 26, 2020, 9:03am

Now checked your domain - https://check-your-website.server-daten.de/?q=gemeinde-trierweiler.de

You have created one correct certificate:

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2020-10-20	2021-01-18	gemeinde-trierweiler.de, www.gemeinde-trierweiler.de - 2 entries	duplicate nr. 1
Let's Encrypt Authority X3	2020-10-06	2021-01-04	gemeinde-trierweiler.de - 1 entries

That from 2020-10-20 is good.

But it's not used, so Certbot doesn't understand your configuration. And your configuration (see your redirects) looks inconsistent.

What says

apachectl -S
certbot certificates

A port 80 vHost with both domain names is required, so Certbot can use that as template to create the port 443 vHost.

PS: It's wrong to create a new certificate if the certificate already exists. There is a rate limit. So don't create a new certificate if you have already one created.

Joshua · October 26, 2020, 9:07am

Alright, I did what you told me to do.

Got the same return now: Congratulations! Your certificate and chain have been saved at: [...]
Your key file has been saved at [...]
Your cert will expire on 2021-01-18. [...]

Joshua · October 26, 2020, 9:08am

Thank you very much!

Yeah, I thought so. I mean I've seen the .pem file aswell on the linux server itself but I just can't figure out how to install it or how to tell my webserver to use this certificate ...

Thank you

griffin · October 26, 2020, 9:09am

@JuergenAuer

I agree. I was hoping that the command I gave Joshua would set the live symlink to that certificate instead of the newer one that does not include gemeinde-trierweiler.de.

griffin · October 26, 2020, 9:10am

We're there! (Your certificate is now installed correctly.)

griffin · October 26, 2020, 9:13am

Now you just need to fix your redirects...

The 302 here should be a 301 to https://gemeinde-trierweiler.de :

Screenshot_20201026-024135_Samsung Internet

The 302 here should be removed entirely:

Screenshot_20201026-024045_Samsung Internet

You also want to make sure that http://www.gemeinde-trierweiler.de has a single 301 redirect to https://www.gemeinde-trierweiler.de.

In short (all 301):

Joshua · October 26, 2020, 9:25am

Thank you so much guys!!

I'll try to remove the redirects aswell... thank you!!!!

griffin · October 26, 2020, 9:26am

You're very welcome. If your redirects end up as I've described, you will be in grand shape!

You might test your renewal just to be sure you'll end up with the right certificate. It should include both domain names (www.gemeinde-trierweiler.de and gemeinde-trierweiler.de).

certbot renew --dry-run

As @JuergenAuer mentioned earlier, you can use the following to view your certificates:
certbot certificates

Note the name of any certificate that does not include both www.gemeinde-trierweiler.de and gemeinde-trierweiler.de.

You can use the following to delete any useless certificates to keep them from renewing:
certbot delete --cert-name name

Joshua · October 26, 2020, 9:42am

Alright. Thank you a lot guys, you saved me a load of my nerves.

griffin · October 26, 2020, 9:44am

Happy to help! If you have any other questions or run into any further trouble, you know where to find us. Be well and godspeed!

Osiris · October 26, 2020, 12:26pm

@griffin That's the default, right? Why do you specifically add it to the command line? Might be confusing to some.

griffin · October 26, 2020, 3:54pm

@Osiris

Because --keep-until-expiring is not the default for certonly or run. It should be though (and require --force-renewal to override). This is the reason why we get so many rate-limited visitors! Almost no one knows about --force-renewal, which is why renew is a safe command.

--keep-until-expiring, --keep, --reinstall

If the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal (for the 'run' subcommand this means reinstall the existing certificate). (default: Ask)

To make matters worse:

If a certificate is requested with run or certonly specifying a certificate name that already exists, Certbot updates the existing certificate. Otherwise a new certificate is created and assigned the specified name.

https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Osiris · October 26, 2020, 4:14pm

I think that's just partially true, as your quote already says (what I should have known): the user gets a question about what to do. So strictly speaking it's the users "fault", probably due to too little knowledge about what to do.

Eh, no, that's not worse: using --cert-name obviously overwrites the previous certificate if a new certificate is issued. That's the point of that paragraph.

griffin · October 26, 2020, 4:15pm

~~And does not ask anything in regards to not being near expiry.~~ If you naively specify to do so.

Even if a certificate already exists with the specified domain names that is not near expiry. (Does this one still happen, @Osiris?)

Topic		Replies	Views
Certificate renew Help	6	515	May 12, 2023
Cert renew issue Help	20	3738	November 13, 2018
Certificate renewal issues Help	4	1043	December 15, 2022
Certbot certonly --webroot ... Exit 1 Help	18	1744	July 13, 2022
Certbot renew fails Help	27	992	November 24, 2020

Problem with Certbot renew

Related topics