Renew CERT on expired one ERROR

Panza · May 26, 2022, 7:42pm

Using wordpress on my personnel windows server.
I make an ssl cert 2 month ago. But the auto renew cron does not works automaticly.
So my certificate has expired yesterday.

Certbot certificates says :
Found the following certs:
Certificate Name: altifilm.fr
Serial Number: 36c584d8239cceac6f7e068452688756b4c
Key Type: RSA
Domains: altifilm.fr ddbsi.fr plandrone.fr
Expiry Date: 2022-05-26 09:18:29+00:00 (INVALID: EXPIRED)
Certificate Path: C:\Certbot\live\altifilm.fr\fullchain.pem
Private Key Path: C:\Certbot\live\altifilm.fr\privkey.pem

When i do a certbot renew, all seems good in messages :
Processing C:\Certbot\renewal\altifilm.fr.conf

Renewing an existing certificate for altifilm.fr and 2 more domains

Congratulations, all renewals succeeded:
C:\Certbot\live\altifilm.fr\fullchain.pem (success)

And when after i ask for certificates : all seems ok :
Found the following certs:
Certificate Name: altifilm.fr
Serial Number: 36c584d8239cceac6f7e068452688756b4c
Key Type: RSA
Domains: altifilm.fr ddbsi.fr plandrone.fr
Expiry Date: 2022-08-24 18:30:56+00:00 (VALID: 89 days)
Certificate Path: C:\Certbot\live\altifilm.fr\fullchain.pem
Private Key Path: C:\Certbot\live\altifilm.fr\privkey.pem

But when i ask my site, i still get err cert expired from all browsers.... Seems like the internet autority is not informed of my renewed certificate.
Is it really possible to renew a certif just after the day it has expired ?
If yes, whats going wrong.

Thanks

MikeMcQ · May 26, 2022, 8:33pm

Welcome to the community @Panza

Your new certificate was issued but your server is not sending it out.

Did you restart Apache after getting the new cert?

You did not show the certbot command you used to request the cert. Some forms will restart Apache for you but some options do not.

If that doesn't solve the problem, please show the certbot command options.

Panza · May 26, 2022, 8:44pm

Thanks, I restarded all the computer and system...
I dont remember the cerbot command i used to request the first time... it was 45 days old...
How show you the cerbot command options ?

MikeMcQ · May 26, 2022, 9:02pm

Actually, I'd like to see your Apache details first. Can you show result of this:

httpd.exe -S

Panza · May 26, 2022, 9:05pm

VirtualHost configuration:
*:80 localhost (D:/wamp64/bin/apache/apache2.4.51/conf/extra/httpd-vhosts.conf:3)
*:443 localhost (D:/wamp64/bin/apache/apache2.4.51/conf/extra/httpd-vhosts.conf:20)
ServerRoot: "D:/wamp64/bin/apache/apache2.4.51"
Main DocumentRoot: "D:/wamp64/www"
Main ErrorLog: "D:/wamp64/logs/apache_error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="D:/wamp64/bin/apache/apache2.4.51/logs/" mechanism=default
Mutex authdigest-opaque: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "D:/wamp64/bin/apache/apache2.4.51/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: APACHE24=Apache2.4
Define: VERSION_APACHE=2.4.51
Define: INSTALL_DIR=d:/wamp64
Define: APACHE_DIR=d:/wamp64/bin/apache/apache2.4.51
Define: SRVROOT=d:/wamp64/bin/apache/apache2.4.51

MikeMcQ · May 26, 2022, 9:13pm

And can you show the contents of this file? Thanks

Panza · May 26, 2022, 9:26pm

I think youre looking for that :
SSLEngine on
SSLCertificateFile "${INSTALL_DIR}/ssl/certs/fullchain.pem"
SSLCertificateKeyFile "${INSTALL_DIR}/ssl/keys/privkey.pem"
SSLCertificateChainFile "${INSTALL_DIR}/ssl/certs/fullchain.pem"
Those files are effectivly the olds ... I dont know where cerbot generate the news

MikeMcQ · May 26, 2022, 9:30pm

Certbot placed them here. It looks like you made a copy of them to the folder named by Apache. So, you need to copy them there again. Or, change your Apache to refer directly to the certbot live folder.

Panza · May 26, 2022, 9:32pm

You put me on the right way, thanks Mike.
Cerbot is installed on C:, it genrates certs on C.
I missed that my copy for WP was on D:...
I was unable to find certs in LIVE directory. I found fullchain2 and provjky2 in archive directory.
I renamed it and copied it on D:....
Why live is empty ?

MikeMcQ · May 26, 2022, 9:50pm

There should be symlinks in LIVE that point to the latest files in ARCHIVE. Normally you have your server use the file names in LIVE and those are always the latest.

I don't know Certbot and Windows all that well to know why the symbolic links would not exist. Did you run certbot with admin privileges?

What does this look like?

dir /s C:\Certbot

rg305 · May 26, 2022, 9:52pm

What did you do?

Panza · May 26, 2022, 10:09pm

LIVE as symlink shortlink,; yes, put they point to nothing.
I used the lasts fullchain and privkays in archive dir, and renamed and put it in my WP/ssl dir...
Thanks all is working now.

Panza · May 26, 2022, 10:10pm

I take the last privkeys and fullchain in archive dir. It was fullchain1.pen, renamed as fullchain.pem and placed in the correct WP Dir

MikeMcQ · May 26, 2022, 10:20pm

Did you do something like that when you first got the cert too?

Because I think you broke the symlink when you renamed the target file in ARCHIVE
(I just tried something similar on a Windows machine)

You could try this:

certbot update_symlinks

Panza · May 26, 2022, 10:21pm

Whaou ... i have an error.... altifilm.fr works but www.altifilm.fr does not : NET::ERR_CERT_COMMON_NAME_INVALID

MikeMcQ · May 26, 2022, 10:23pm

You never created a cert that included the www name. Look at the domain names in the cert in your first post.

You need to add the www names to your certbot command too.

Panza · May 26, 2022, 10:27pm

I really dont remember how i do to get those...
must put a certbot certonly -d www.altifilm.fr ?
It will be added with no erase of others ?

rg305 · May 26, 2022, 10:29pm

Not that way.
You need a new cert with both names on it:
certbot certonly -d altifilm.fr -d www.altifilm.fr

system · June 25, 2022, 10:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.