yesterday I renew my certified letsencrypt to my subdomain heidelberg.yaroscloud.com ,because this expire in december 16, so I run this command to renew:
$ sudo /opt/certbot/letsencrypt-auto certonly -a standalone -d heidelberg.yaroscloud.com
then I check : - https://crt.sh/?q=heidelberg.yaroscloud.com
and I saw my certified issued , it was created yesterday succesfully but when i check in : - https://certificate.revocationcheck.com my domain heidelberg.yaroscloud.com , this yet expires on the same date .
may be I using wrong command or the renewed certified it’s going to be used when the last certified expire automatically.
You most likely created another certificate instead of renewing. certbot renew
is for renewing.
To clarify: what is the output of the command certbot certificates
?
HI @bytecamp thanks for his response
i put my log (complete) in
https://s3-us-west-1.amazonaws.com/backupsyaros/test/heidelberg-letsencrypt.txt .
and when I run
$ ./letsencrypt-auto certificates , i get:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem to be a symlink. Skipping.
Found the following certs:
Certificate Name: heidelberg.yaroscloud.com-0002
Domains: heidelberg.yaroscloud.com
Expiry Date: 2018-02-26 23:28:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/privkey.pem
The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf
Did you reload your webserver?
before to launch : $ sudo /opt/certbot/letsencrypt-auto certonly -a standalone -d heidelberg.yaroscloud.com
I stopped my nginx , and then to the process I m started nginx .
WHen I see in letsencrypt I have two renewals , in my nginx config actually I use those:
ssl_certificate /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/privkey.pem;
Since you seem to reissue instead of renew (see the -0001/-0002 behind certificate domain name), you have to fix your configuration now to point to those certificates which are shown from the command letsencrypt-auto certificates
:
Certificate Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/privkey.pem
Please note: if you next time don't renew but again issue a fresh certificate, you will have to change your configuration again. Use letsencrypt-auto renew
next time
For completeness, I would also get rid of the obsolete versions of the certificate.
sure but when i run ./letsencrypt-auto renew I get:
ubuntu@heidelberg:/opt/certbot$ sudo ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf
renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf is broken. Skipping.
Processing /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0002.conf
Cert not yet due for renewal
Processing /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf
expected /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf is broken. Skipping.
The following certs are not due for renewal yet:
/etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/fullchain.pem (skipped)
No renewals were attempted.
Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf (parsefail)
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf (parsefail)
0 renew failure(s), 2 parse failure(s)
-----and when I check date expiration in https://certificate.revocationcheck.com/heidelberg.yaroscloud.com I get the same date expiration last
Hi @yavinenana,
Did you manually modify anything in the files in /etc/letsencrypt/renewal
? Could you please post their contents here on the forum?
thnks mr @schoen
I dindn’t change anything, but in my renewal folder i have 3 files :
- heidelberg.yaroscloud.com-0001.conf (https://s3-us-west-1.amazonaws.com/backupsyaros/test/heidelberg.yaroscloud.com-0001.conf)
- heidelberg.yaroscloud.com-0002.conf (https://s3-us-west-1.amazonaws.com/backupsyaros/test/heidelberg.yaroscloud.com-0002.conf)
- heidelberg.yaroscloud.com.conf (this is empty)
(because since a long time i had an issue Error creating new cert :: too many certificates already issued for exact set of domains in wich I couldn’t renew my certificate and ended created a new one)
I think the problem is because my file’s name is heidelberg.yaroscloud.com-0001.conf , and not is heidelberg.yaroscloud.com.conf , pls I’m really
To fix the problem, you need to do what bytecamp said. The new certificates were saved in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/
. You need to update your nginx configuration to use these files instead of ones in a different directory and reload nginx.
As for why your lineages are getting corrupted, did you make /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf
empty yourself? Can you include the output of sudo ls -al /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001
? The problem is hinted at in the above output where it says “expected /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem to be a symlink”. Did you perhaps copy these files from somewhere else and lose the fact that it was a symlink rather than a file?
thank very much @bmw @schoen , this is my ls -la output
the simbol link stay now in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/
And I used the certificates that saved in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/
but then when I check it : “https://certificate.revocationcheck.com/heidelberg.yaroscloud.com” these yet expires in the same date that the other old certs.
because my cert expires in
Not valid before: Sep 17, 2017 11:59:00 AM
Not valid after: Dec 16, 2017 11:59:00 AM
Did you update your nginx configuration to refer to the heidelberg.yaroscloud.com-0002
versoin of the cert?
yes i did , schoen as I say the expiration date is still the same, and I am afraid that expires that day
@yavinenana, check again. Looking at your site now, I see a certificate that expires February 26, 2018.
@bmw when i check the cert directly :
root@heidelberg:/home/ubuntu# openssl x509 -noout -dates -in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/cert.pem
notBefore=Nov 28 23:28:22 2017 GMT
notAfter=Feb 26 23:28:22 2018 GMT
or run command:
$ echo | openssl s_client -connect heidelberg.yaroscloud.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 28 23:28:22 2017 GMT
notAfter=Feb 26 23:28:22 2018 GMT
but when I check it certificate in this page
https://certificate.revocationcheck.com/heidelberg.yaroscloud.com
The previous date still appears
That website shows the newer certificate for me.
It seems to cache information for a while?
thanks very much @bmw @schoen @bytecamp you’re amazing…
effectively that site was caching that date , because now see feb 26 …
So from now on, should I always aim for the new certificate? for example point to …
heidelberg.yaroscloud.com-0003
heidelberg.yaroscloud.com-0004
heidelberg.yaroscloud.com-0005 … ?
because I created cert with
$ sudo /opt/certbot/letsencrypt-auto certonly -a standalone -d heidelberg.yaroscloud.com
(without any number)