Problem with Certbot renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.gemeinde-trierweiler.de

I ran this command: certbot certonly www.gemeinde-trierweiler.de / certbot certonly gemeinde-trierweiler.de

It produced this output: Congratulations! Your Certificate has been renewed

My web server is (include version):

The operating system my web server runs on is (include version): Debian GNU/Linux 5

My hosting provider, if applicable, is: strato.de

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

--

So my problem is that if I run certbot certonly gemeinde-trierweiler.de he gives me a positive output that my certficate has been successfully renewed, but if I visit the site, there's still the old certificate. Maybe I'm doing something really wrong. Certbot saves the certficate in a specific path, yet I don't know anymore what to do else. Thank you for your help

2 Likes

Hi @Joshua

certonly doesn't install and restart your webserver.

Did you restart your webserver?

3 Likes

Tried that aswell already, I tried something else now... I just selected the temporary webserver option, let me restart it real quick again ...

Sorry, I am kind of new to certbot and stuff.. :slight_smile:

Thank you for your reply!

3 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

You've already successfully acquired a certificate, so acquiring another one a different way will not help.

We need to fix your installation of the certificate.


Complete Certificate History

2 Likes

Thank you very much!

How can we fix the certificate installation?

Thank you so much for your help. :slight_smile:

3 Likes

Please try using this command:
certbot run --apache -d "www.gemeinde-trierweiler.de,gemeinde-trierweiler.de" --keep-until-expiring

Note: Your most recent certificate included www.gemeinde-trierweiler.de, but did not include gemeinde-trierweiler.de, which may cause you problems. We can fix that too.

3 Likes

Now checked your domain - https://check-your-website.server-daten.de/?q=gemeinde-trierweiler.de

You have created one correct certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-10-20 2021-01-18 gemeinde-trierweiler.de, www.gemeinde-trierweiler.de - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-10-06 2021-01-04 gemeinde-trierweiler.de - 1 entries

That from 2020-10-20 is good.

But it's not used, so Certbot doesn't understand your configuration. And your configuration (see your redirects) looks inconsistent.

What says

apachectl -S
certbot certificates

A port 80 vHost with both domain names is required, so Certbot can use that as template to create the port 443 vHost.

PS: It's wrong to create a new certificate if the certificate already exists. There is a rate limit. So don't create a new certificate if you have already one created.

3 Likes

Alright, I did what you told me to do.

Got the same return now: Congratulations! Your certificate and chain have been saved at: [...]
Your key file has been saved at [...]
Your cert will expire on 2021-01-18. [...]

2 Likes

Thank you very much!

Yeah, I thought so. I mean I've seen the .pem file aswell on the linux server itself but I just can't figure out how to install it or how to tell my webserver to use this certificate ...

Thank you

3 Likes

@JuergenAuer

I agree. I was hoping that the command I gave Joshua would set the live symlink to that certificate instead of the newer one that does not include gemeinde-trierweiler.de.

3 Likes

We're there! (Your certificate is now installed correctly.) :slightly_smiling_face:

:partying_face:

3 Likes

Now you just need to fix your redirects...

The 302 here should be a 301 to https://gemeinde-trierweiler.de :

Screenshot_20201026-024135_Samsung Internet

The 302 here should be removed entirely:

Screenshot_20201026-024045_Samsung Internet

You also want to make sure that http://www.gemeinde-trierweiler.de has a single 301 redirect to https://www.gemeinde-trierweiler.de.

In short (all 301):

3 Likes

Thank you so much guys!!

I'll try to remove the redirects aswell... thank you!!!!

3 Likes

You're very welcome. :slightly_smiling_face: If your redirects end up as I've described, you will be in grand shape!

You might test your renewal just to be sure you'll end up with the right certificate. It should include both domain names (www.gemeinde-trierweiler.de and gemeinde-trierweiler.de).

certbot renew --dry-run


As @JuergenAuer mentioned earlier, you can use the following to view your certificates:
certbot certificates

Note the name of any certificate that does not include both www.gemeinde-trierweiler.de and gemeinde-trierweiler.de.

You can use the following to delete any useless certificates to keep them from renewing:
certbot delete --cert-name name

3 Likes

Alright. Thank you a lot guys, you saved me a load of my nerves. :smiley:

3 Likes

Happy to help! :slightly_smiling_face: If you have any other questions or run into any further trouble, you know where to find us. Be well and godspeed! :wave:

3 Likes

@griffin That's the default, right? Why do you specifically add it to the command line? Might be confusing to some.

3 Likes

@Osiris

Because --keep-until-expiring is not the default for certonly or run. It should be though (and require --force-renewal to override). This is the reason why we get so many rate-limited visitors! Almost no one knows about --force-renewal, which is why renew is a safe command.

--keep-until-expiring, --keep, --reinstall

If the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal (for the 'run' subcommand this means reinstall the existing certificate). (default: Ask)

To make matters worse:

If a certificate is requested with run or certonly specifying a certificate name that already exists, Certbot updates the existing certificate. Otherwise a new certificate is created and assigned the specified name.

1 Like

I think that's just partially true, as your quote already says (what I should have known): the user gets a question about what to do. So strictly speaking it's the users "fault", probably due to too little knowledge about what to do.

Eh, no, that's not worse: using --cert-name obviously overwrites the previous certificate if a new certificate is issued. That's the point of that paragraph.

2 Likes

And does not ask anything in regards to not being near expiry. If you naively specify to do so.

Even if a certificate already exists with the specified domain names that is not near expiry. (Does this one still happen, @Osiris?)

1 Like