I have manually been renewing my test certs and have not had any issues. However, I stopped my testing for a few months and I am having issues renewing a cert. I manually run certbot certonly --cert-name test.xxxxxxxx.us -d test.xxxxxxxx.us and certbot certificate shows:
Looks good. But when I browse to the webpage, I get SEC_ERROR_EXPIRED_CERTIFICATE! I am using HAProxy to manage the certs.
Again, I have not had a problem all the while I was testing. My procedures work fine. It looks like the old expiration date is not being updated. I rebooted my servers, but that didn't help.
What can I delete about the cert so I can re-run the renew?
Why are you running that command to renew a cert? Surely certbot renew would be a more sensible command.
That's a frankly bizarre conclusion to draw. Certbot reports that it has a cert, where the cert is, and how long it's valid, and your conclusion is that it's lying to you, or that it doesn't know how to read the cert to determine how long it's valid?
The question is why HAProxy isn't using that cert. And, if I had to take a wild guess, it would be that you'd previously manually copied the old cert file somewhere else, and told HAProxy to use that one, rather than the one in /etc/letsencrypt/live/--and since a little bit of Googling suggests that HAProxy wants both the cert and the private key in a single .pem file (which certbot doesn't generate on its own), this scenario is looking entirely plausible, to say the least. So you can get all the new certs you want, but HAProxy won't know anything about them.
certbot certificates
Response: - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.xxxxxxxxxxx.us/fullchain.pem
I do this same process for other domains and it works fine (https) for the domains.
It's just one domain that used to work. The certbot certificate returns an invalid expiration date for some reason.
But browsing to test.streamingworld,us is showing:
Websites prove their identity via certificates, which are valid for a set time period. The certificate for test.streamingworld.us expired on 3/26/2022.
Error code: SEC_ERROR_EXPIRED_CERTIFICATE
Note I have not edited/copied/moved any certificate data.
As three of us have now told you, HAProxy isn't using the current and valid cert you now have (and apparently hasn't been for some time; it's using a cert that expired nine months ago). You'll need to look into its configuration to determine why. My guess would be that when you did cat fullchain.pem privkey.pem > /etc/haproxy/certs/www.xxxxxxxxxxx.us.pem, you did it with the wrong cert files. Or maybe you haven't done it for quite some time, and thought you did--you'll need to do that every time you renew the cert.
I posted the process I use and have used for a few years now, and for multiple different domains. I have not deviated from it and never ran into this problem until now
It looks like a normal fullchain.pem to me (the long chain).
@rayj00 You cat this with your privkey.pem for HAProxy.
Do not show us the privkey!
But, are you sure the target filename used in the cat is the same name used in HAProxy?
Because in your cat example your redacted name is www.xxxx and in other places you have it as test.xxxx. Could there be a simple mis-match of file names?