Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.nl-0001/fullchain.pem. Your
cert will expire on 2016-05-24. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
I see: /etc/letsencrypt/live/domain.nl-0001/fullchain.pem
But before it was: /etc/letsencrypt/live/domain.nl/fullchain.pem
And i am using Symlinks with: /etc/letsencrypt/live/domain.nl/fullchain.pem
Why it's now: "domain.nl-0001"?
And what can i do about it?
And the other question. If i go to for example: https://ssldecoder.org and i admit my domain.nl i am getting:
Certificate for 'domain.nl'
Valid Until - Fri, 01 Apr 2016 14:06:00 +0000
Why they are saying it's valid till "01 Apr 2016" while the mail from Letsencrypt is saying that the certificate will expire on "10 Mar 16"?
Are you sure that your webserver actually uses the certificate you think it uses?
It seems like you haven’t renewed you certificate, but created a completely new one. Renewal is (usually) done with the “renew” command. This command will update not only the certificate, but also the symlinks that you probably use in your webserver configuration.
“When the 90 days are almost up, come back to this page and execute the Let’s Encrypt command again with the correct domain and webroot options. You’ll be asked if you want to renew, agree, and the certificate will be renewed. Then restart the webserver via a service httpd restart. Repeat is for all certificates.”
They are saying i can just run the command again? Or do i really have to use the renew command? I can just do:
If you use certonly, you’ll have to configure your webserver manually to use the correct files. I can’t help you with DirectAdmin (never used it), but this is what you should do without DirectAdmin.
Check your webserver’s configuration. Looks like you’re on Fedora, in which case you can find it somewhere under /etc/httpd. Check for a config file with these directives
SSLCertificateFile SSLCertificateKeyFile and SSLCertificateChainFile
Those should be pointing to files under /etc/letsencrypt/live/domain.nl-0001, which, in turn, should be symlinks to the actual files in /etc/letsencrypt/archive/domain.nl-0001.
Your webserver could be using files under /etc/letsencrypt/live/domain.nl, but seeing that the e-mail you received mentions a different date than ssldecoder, I assume you’re using yet an other certificate
Ideally, if you’ve created and installed a certificate, all you have to do to renew it, is
letsencrypt renew
I wouldn’t use --force-renew unless you want letsencrypt to renew even if your certificate isn’t going to expire soon.
I can check the content of the files. Which files are changing with the renewal? All of them? And do i have to compare the content of the files with a tool like:
Now there are 2 directories: domain.nl and domain-0001 (and in /etc/letsencrypt/archive also)
And if i do:
letsencrypt renew
i am getting: command not found…i think i have to do it with something like ./letsencrypt-auto renew ? I know it’s better to skip --force-renew but i am adding that for testing now…then i can check if it’s really updated.
i can compare the content of chain.pem, but that’s not changing anyway with the renewal, so i still don’t know how to check if it’s really updated and which one is active (domain.nl or domain.nl-0001).
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mydomain.nl-0001/fullchain.pem. Your
cert will expire on 2016-05-26. To obtain a new version of the
certificate in the future, simply run Let’s Encrypt again.
So while i know for sure that i put mydomain.nl in the command…letsencrypt is making mydomain.nl-0001 of it?
I used --force-renew to test some things, but now i reached the limit, so i have to wait for a while (i think a week) to do some more tests.
Oh oh oh stupid programmers ;). I was all day checking everything and at the end i found the problem. Something went wrong with a unix command. I had to create symlinks for Directadmin and the output was:
ln: creating symbolic link `PATH’: File exists
So i thought…okay the file exists, but the symbolic link was created. But is was not! Unix can not output that it is an error and that the symbolic link was not created!!! Maybe they can programm it logically, but they also have to think more about the logic of users who are also just thinking logically, but never worked with unix.
If you create a certificate (with certonly or run), letsencrypt creates 4 files for you: a chain, a full chain, a key and a certificate. It places them under /etc/letsencrypt/archive/<domain> and creates symlinks to them under /etc/letsencrypt/live/<domain>. You then configure your webserver to use the symlinks under live.
If you renew, letsencrypt will create new files under /etc/letsencrypt/archive/<domain> and add -0001 to them. Next time it will add -0002 and so on. Renew will also update the symlinks under /etc/letsencryp/live/<domain>, so that your webserver will always use the latest files under archive.
If you create a new certificate for an already existing domain, letsencrypt will do the same trick for the directory: it will create /etc/letsencrypt/archive/<domain>-0001 etc.
The question ‘which certificate is active’ is answered by checking your webserver config. The certificate that is loaded by the webserver, is ‘active’. You can check which certificate was created most recently with “ls -l”: that will show you the date the files were last modified. It will also show you where symlinks point to, btw.
I don't think it's true what you're saying. For example:
/etc/letsencrypt/live/DOMAIN.EXT/cert.pem
It is a symlink to:
/etc/letsencrypt/archive/DOMAIN.EXT/cert1.pem
If you renew then it still will be:
/etc/letsencrypt/live/DOMAIN.EXT/cert.pem
But now it's a symlink to:
/etc/letsencrypt/archive/DOMAIN.EXT/cert2.pem
I think it's working like that and it also makes more sence. Why they would create a lot of different directories while they can also work with 1 directory and just changing the files in the directory to 1, 2 etcetera instead of the directory itself. But in 5 days or something i can force renewal again, so i can do some more tests. I still don't know why it was creating -0001, but before there went something wrong with creating my other symlinks in directadmin, so maybe it had to do with that. Later on i've tested already everything with another domain and everything went well, also with the renewal. But i think it's working like i am saying here above and not like you are saying with DOMAIN.EXT-0001 , -0002 etcetera.
