Renew successful but the site still expired

Help
1

My domain is (while there are others this is the primary one I care about): apps.marketingresources.com

I ran this command: ./certbot-auto renew --no-self-upgrade

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/apps.marketingresources.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for apps.marketingresources.com
Waiting for verification…
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/apps.marketingresources.com/fullchain.pem

Processing /etc/letsencrypt/renewal/demo.marketingresources.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for demo.marketingresources.com
Waiting for verification…
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/demo.marketingresources.com/fullchain.pem

Processing /etc/letsencrypt/renewal/weblab.marketingresources.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for weblab.marketingresources.com
Waiting for verification…
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/weblab.marketingresources.com/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/apps.marketingresources.com/fullchain.pem (success)
/etc/letsencrypt/live/demo.marketingresources.com/fullchain.pem (success)
/etc/letsencrypt/live/weblab.marketingresources.com/fullchain.pem (success)

My web server is (include version): Apache 2.2.22 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 12.04

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Apache Conf (relevant lines):
SSLCertificateFile /etc/letsencrypt/live/apps.marketingresources.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/apps.marketingresources.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/apps.marketingresources.com/chain.pem

Sym Links:
cd /etc/letsencrypt/live/apps.marketingresources.com/
ls -la
Nov 18 12:21 cert.pem -> …/…/archive/apps.marketingresources.com/cert18.pem
Nov 18 12:21 chain.pem -> …/…/archive/apps.marketingresources.com/chain18.pem
Nov 18 12:21 fullchain.pem -> …/…/archive/apps.marketingresources.com/fullchain18.pem
Nov 18 12:21 privkey.pem -> …/…/archive/apps.marketingresources.com/privkey18.pem

At first I ran the same command without --no-self-upgrade and it updated itself and failed, so I had to remove and download 0.31.0 specifically to get the renew to even run. After successful renewal apache was manually restarted, but the site still shows an expired cert. I’ve run out of ideas, it’s almost as if Apache is just ignoring the new files.

1 Like
2

Hi @jjonesmri

there is a check of your domain, ~~ one hour old - https://check-your-website.server-daten.de/?q=apps.marketingresources.com

You use one certificate with 4 domain names:

CN=apps.marketingresources.com
	19.08.2019
	17.11.2019
1 days expired	apps.marketingresources.com, client.marketingresources.com, demo.marketingresources.com, weblab.marketingresources.com - 4 entries

But your output and your CT-log

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-18 2020-02-16 apps.marketingresources.com - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-10-18 2020-01-16 apps.marketingresources.com, client.marketingresources.com, demo.marketingresources.com, weblab.marketingresources.com - 4 entries

says: You have created 4 certificates with one domain name. The certificate with 4 domain names is renewed and one month old.

So the problem isn’t new, the problem is one month old.

What says

certbot certificates
apachectl -S
1 Like
3

./certbot-auto certificates --no-self-upgrade --no-bootstrap
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: apps.marketingresources.com
Domains: apps.marketingresources.com
Expiry Date: 2020-02-16 17:22:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/apps.marketingresources.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apps.marketingresources.com/privkey.pem
Certificate Name: demo.marketingresources.com
Domains: demo.marketingresources.com
Expiry Date: 2020-02-16 17:22:34+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/demo.marketingresources.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/demo.marketingresources.com/privkey.pem
Certificate Name: weblab.marketingresources.com
Domains: weblab.marketingresources.com
Expiry Date: 2020-02-16 17:22:41+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/weblab.marketingresources.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/weblab.marketingresources.com/privkey.pem

apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server apps.marketingresources.com (/etc/apache2/sites-enabled/apps-ssl:2)
port 443 namevhost apps.marketingresources.com (/etc/apache2/sites-enabled/apps-ssl:2)
port 443 namevhost client.marketingresources.com (/etc/apache2/sites-enabled/client-ssl:2)
port 443 namevhost demo.marketingresources.com (/etc/apache2/sites-enabled/demo-ssl:2)
port 443 namevhost weblab.marketingresources.com (/etc/apache2/sites-enabled/weblab-ssl:2)
*:80 is a NameVirtualHost
default server apps.marketingresources.com (/etc/apache2/sites-enabled/apps:1)
port 80 namevhost apps.marketingresources.com (/etc/apache2/sites-enabled/apps:1)
port 80 namevhost client.marketingresources.com (/etc/apache2/sites-enabled/client:1)
port 80 namevhost demo.marketingresources.com (/etc/apache2/sites-enabled/demo:1)
port 80 namevhost weblab.marketingresources.com (/etc/apache2/sites-enabled/weblab:1)

1 Like
4

Please show file:

Which should be using cert:

renewed today: crt.sh | 2127102586

5

You are most likely still using a cert that has been deleted from certbot but remains in the folder/path.
You simply need to edit the config to use the new cert.

1 Like
6

Posted lines from the apache conf file above:

Apache Conf (relevant lines):
SSLCertificateFile /etc/letsencrypt/live/apps.marketingresources.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/apps.marketingresources.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/apps.marketingresources.com/chain.pem

Sym Links:
cd /etc/letsencrypt/live/apps.marketingresources.com/
ls -la
Nov 18 12:21 cert.pem -> …/…/archive/apps.marketingresources.com/cert18.pem
Nov 18 12:21 chain.pem -> …/…/archive/apps.marketingresources.com/chain18.pem
Nov 18 12:21 fullchain.pem -> …/…/archive/apps.marketingresources.com/fullchain18.pem
Nov 18 12:21 privkey.pem -> …/…/archive/apps.marketingresources.com/privkey18.pem

1 Like
7

Please show this public file:

1 Like
8

What I’ve discovered is the web server has an nginx proxy, which is where the certs from 10/18 were created. Only needed to restart nginx on the proxy and it seems to be working now. Thank you all for the help.

This is why it felt like everything was done correctly, but still not working. At least I now know moving forward, and can write something up for the next person that has to deal with this.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.