Renewal done, but still expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot certonly --standalone --preferred-challenges tls-sni-01 -d

It produced this output:TLS-SNI-01 support is deprecated. This value is being dropped from the setting of --preferred-challenges and future versions of Certbot will error if it is included.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1):
Cert is due for renewal, auto-renewing…
Renewing an existing certificate


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2020-03-03. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

My web server is (include version): apache

The operating system my web server runs on is (include version): AWS centos

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Since Certbot wasn't told how to reload/restart your webserver, you need to do so manually. Otherwise, your webserver will continue to use the certificate it loaded previously.

Do you mean Apache Tomcat?


I restarted it manually by
Systemctl restart httpd

I’m getting this output when running #certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2020-03-03 06:48:47+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

I don't think you are running Apache httpd:

  1. There is no Server response header, which is not possible with Apache httpd.
  2. I see an Apache Tomcat/8.5.34 footer from your error pages.

So I don't think systemctl restart httpd would be effective on your server.

What is the output of:

systemctl status httpd

● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-12-04 08:18:05 UTC; 1h 17min ago
Docs: man:httpd(8)
Process: 385 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 391 (httpd)
Status: "Total requests: 312; Current requests/sec: 0.1; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─391 /usr/sbin/httpd -DFOREGROUND
├─392 /usr/sbin/httpd -DFOREGROUND
├─393 /usr/sbin/httpd -DFOREGROUND
├─394 /usr/sbin/httpd -DFOREGROUND
├─395 /usr/sbin/httpd -DFOREGROUND
├─396 /usr/sbin/httpd -DFOREGROUND
└─404 /usr/sbin/httpd -DFOREGROUND

Dec 04 08:18:05 ip-172-31-33-230.ec2.internal systemd[1]: Starting The Apache HTTP Server...
Dec 04 08:18:05 ip-172-31-33-230.ec2.internal systemd[1]: Started The Apache HTTP Server.

Actually when I tried to renew there was an error regarding DNS/AAA record. So renewed using the command sudo certbot certonly --standalone --preferred-challenges tls-sni-01 -d . (Loadbalancer has configured )

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.