Renew my certified but it still expires on the same date


#1

yesterday I renew my certified letsencrypt to my subdomain heidelberg.yaroscloud.com ,because this expire in december 16, so I run this command to renew:
$ sudo /opt/certbot/letsencrypt-auto certonly -a standalone -d heidelberg.yaroscloud.com
then I check : - https://crt.sh/?q=heidelberg.yaroscloud.com
and I saw my certified issued , it was created yesterday succesfully but when i check in : - https://certificate.revocationcheck.com my domain heidelberg.yaroscloud.com , this yet expires on the same date .
may be I using wrong command or the renewed certified it’s going to be used when the last certified expire automatically.


#2

You most likely created another certificate instead of renewing. certbot renew is for renewing.
To clarify: what is the output of the command certbot certificates?


#3

HI @bytecamp thanks for his response
i put my log (complete) in
https://s3-us-west-1.amazonaws.com/backupsyaros/test/heidelberg-letsencrypt.txt .

and when I run
$ ./letsencrypt-auto certificates , i get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: heidelberg.yaroscloud.com-0002
Domains: heidelberg.yaroscloud.com
Expiry Date: 2018-02-26 23:28:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf


#4

Did you reload your webserver?


#5

before to launch : $ sudo /opt/certbot/letsencrypt-auto certonly -a standalone -d heidelberg.yaroscloud.com
I stopped my nginx , and then to the process I m started nginx .

WHen I see in letsencrypt I have two renewals , in my nginx config actually I use those:
ssl_certificate /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/privkey.pem;


#6

Since you seem to reissue instead of renew (see the -0001/-0002 behind certificate domain name), you have to fix your configuration now to point to those certificates which are shown from the command letsencrypt-auto certificates:

Certificate Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/privkey.pem

Please note: if you next time don’t renew but again issue a fresh certificate, you will have to change your configuration again. Use letsencrypt-auto renew next time :slight_smile:

For completeness, I would also get rid of the obsolete versions of the certificate.


#7

sure but when i run ./letsencrypt-auto renew I get:

ubuntu@heidelberg:/opt/certbot$ sudo ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf

renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0002.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf

expected /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf is broken. Skipping.


The following certs are not due for renewal yet:
/etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/fullchain.pem (skipped)
No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf (parsefail)
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com-0001.conf (parsefail)

0 renew failure(s), 2 parse failure(s)

-----and when I check date expiration in https://certificate.revocationcheck.com/heidelberg.yaroscloud.com I get the same date expiration last


#8

Hi @yavinenana,

Did you manually modify anything in the files in /etc/letsencrypt/renewal? Could you please post their contents here on the forum?


#9

thnks mr @schoen
I dindn’t change anything, but in my renewal folder i have 3 files :


#10

I think the problem is because my file’s name is heidelberg.yaroscloud.com-0001.conf , and not is heidelberg.yaroscloud.com.conf , pls I’m really


#11

@bmw, can you understand what could be causing this failure?


#12

To fix the problem, you need to do what bytecamp said. The new certificates were saved in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/. You need to update your nginx configuration to use these files instead of ones in a different directory and reload nginx.

As for why your lineages are getting corrupted, did you make /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf empty yourself? Can you include the output of sudo ls -al /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001? The problem is hinted at in the above output where it says “expected /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem to be a symlink”. Did you perhaps copy these files from somewhere else and lose the fact that it was a symlink rather than a file?


#13

thank very much @bmw @schoen , this is my ls -la output


the simbol link stay now in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/

And I used the certificates that saved in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/
but then when I check it : “https://certificate.revocationcheck.com/heidelberg.yaroscloud.com” these yet expires in the same date that the other old certs.


#14

because my cert expires in
Not valid before: Sep 17, 2017 11:59:00 AM
Not valid after: Dec 16, 2017 11:59:00 AM


#15

Did you update your nginx configuration to refer to the heidelberg.yaroscloud.com-0002 versoin of the cert?


#16

yes i did , schoen :frowning: as I say the expiration date is still the same, and I am afraid that expires that day


#17

@yavinenana, check again. Looking at your site now, I see a certificate that expires February 26, 2018.


#18

@bmw when i check the cert directly :

root@heidelberg:/home/ubuntu# openssl x509 -noout -dates -in /etc/letsencrypt/live/heidelberg.yaroscloud.com-0002/cert.pem
notBefore=Nov 28 23:28:22 2017 GMT
notAfter=Feb 26 23:28:22 2018 GMT

or run command:
$ echo | openssl s_client -connect heidelberg.yaroscloud.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 28 23:28:22 2017 GMT
notAfter=Feb 26 23:28:22 2018 GMT

but when I check it certificate in this page
https://certificate.revocationcheck.com/heidelberg.yaroscloud.com

The previous date still appears


#19

That website shows the newer certificate for me.

It seems to cache information for a while?


#20

thanks very much @bmw @schoen @bytecamp you’re amazing…
effectively that site was caching that date , because now see feb 26 :slight_smile:
So from now on, should I always aim for the new certificate? for example point to …
heidelberg.yaroscloud.com-0003
heidelberg.yaroscloud.com-0004
heidelberg.yaroscloud.com-0005 … ?
because I created cert with
$ sudo /opt/certbot/letsencrypt-auto certonly -a standalone -d heidelberg.yaroscloud.com
(without any number)