Renewal done, but still expired


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: please ask

I ran this command: certbot renew

It produced this output: renewal was successful but still shows expired?

My web server is (include version):

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is: hosted internally

I can login to a root shell on my machine (yes or no, or I don’t know): yes I have root privilages

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh


Certbot reports renewal OK but Browser reports old cert still in use
#2

Try the following command:

certbot certificates

If that says you have an up-to-date certficate, then it was indeed renewed and saved successfully, but not installed to your web server. You may simply need to restart / reload the web server to get it to pick up the renewed certificate. If you used the --apache or --nginx plugins when obtaining the certificate, then this should happen automatically; whereas if you used --webroot it would not, but you can still automate it by using the --deploy-hook option. For example:

certbot renew --force-renewal --cert-name mydomain.example --deploy-hook "systemctl reload apache2"

(If you just run that once, the option will be remembered for that certificate and you can just use certbot renew next time).

If you previously copied the certificate to a different location for your web server to use, then you’ll have to repeat that step too (which can also be automated with --deploy-hook).

If on the other hand certbot certificates shows an expired certificate you have a different problem. In that case check the contents of /etc/letsencrypt/live/yourdomain.example/ - they should be symbolic links to the latest files in /etc/letsencrypt/archive/yourdomain.example/. If they are not then the links will need to be recreated.


#3

Hi,

Thanks for the reply.

I did run that certbot renew command earier again but then I got this message:

root@docrepo5:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/subdomain.stonethree.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for subdomain.stonethree.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (subdomain.stonethree.com) from /etc/letsencrypt/renewal/subdomain.stonethree.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: subdomain.stonethree.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

Must I run your suggested command again and see waht happens?

I also must say we make use if nginx thou, will that be a issue?

Thanks.


#4

Hmmm. So now that you’ve provided the full output of the certbot command, I can see this:

This indicates that the certificate was originally obtained using the --nginx plugin, so the renewal should have reloaded nginx automatically.

Can you try the other command I suggested and post the output please?

certbot certificates


#5

Hi,

Please see the output below:

root@subdomain:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: subdomain.stonethree.com
    Domains: subdomain.stonethree.com
    Expiry Date: 2018-10-30 12:53:21+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain.stonethree.com/privkey.pem
-------------------------------------------------------------------------------

But what is strange, I ran the same  command yesterday and this was the output:

root@docrepo5:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/subdomain.stonethree.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for subdomain.stonethree.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem (success)
-------------------------------------------------------------------------------

Thanks.


#6

Right, so that’s often a symptom of a broken symbolic link structure. Try the following (as root):

ls -al /etc/letsencrypt/{live,archive}/subdomain.stonethree.com


#7

Hi,

Thanks for the reply, please see below:

root@subdomain:~# ls -al /etc/letsencrypt/live/subdomain.stonethree.com
total 12
drwxr-xr-x 2 root root 4096 Oct 31 10:00 .
drwx------ 4 root root 4096 Oct 24 14:48 …
lrwxrwxrwx 1 root root 51 Oct 31 10:00 cert.pem -> …/…/archive/subdomain.stonethree.com-0001/cert1.pem
lrwxrwxrwx 1 root root 52 Oct 31 10:00 chain.pem -> …/…/archive/subdomain.stonethree.com-0001/chain1.pem
lrwxrwxrwx 1 root root 56 Oct 31 10:00 fullchain.pem -> …/…/archive/subdomain.stonethree.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root 54 Oct 31 10:00 privkey.pem -> …/…/archive/subdomain.stonethree.com-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Aug 1 15:53 README

&

root@subdomain:/# ls -al /etc/letsencrypt/archive/subdomain.stonethree.com
total 40
drwxr-xr-x 2 root root 4096 Jul 17 14:17 .
drwx------ 4 root root 4096 Aug 1 15:53 …
-rw-r–r-- 1 root root 2175 May 3 14:50 cert1.pem
-rw-r–r-- 1 root root 2171 Oct 31 10:00 cert2.pem
-rw-r–r-- 1 root root 1647 May 3 14:50 chain1.pem
-rw-r–r-- 1 root root 1647 Oct 31 10:00 chain2.pem
-rw-r–r-- 1 root root 3822 May 3 14:50 fullchain1.pem
-rw-r–r-- 1 root root 3818 Oct 31 10:00 fullchain2.pem
-rw-r–r-- 1 root root 1708 May 3 14:50 privkey1.pem
-rw-r–r-- 1 root root 1704 Oct 31 10:00 privkey2.pem

Does this looks right or something wrong.

Also what I noticed is, the following below in the live & archive folders:

root@subdomain:/# ls -al /etc/letsencrypt/archive/
total 16
drwx------ 4 root root 4096 Aug 1 15:53 .
drwxr-xr-x 10 root root 4096 Oct 31 23:57 …
drwxr-xr-x 2 root root 4096 Jul 17 14:17 subdomain.stonethree.com
drwxr-xr-x 2 root root 4096 Oct 30 15:54 subdomain.stonethree.com-0001

&

root@subdomain:/# ls -al /etc/letsencrypt/live/
total 16
drwx------ 4 root root 4096 Oct 24 14:48 .
drwxr-xr-x 10 root root 4096 Oct 31 23:57 …
drwxr-xr-x 2 root root 4096 Oct 31 10:00 subdomain.stonethree.com
drwxr-xr-x 2 root root 4096 Jul 17 14:17 subdomain.stonethree.com.old

And here is the content of the other 2 folders:

root@subdomain:/# ls -al /etc/letsencrypt/live/subdomain.stonethree.com.old/
total 12
drwxr-xr-x 2 root root 4096 Jul 17 14:17 .
drwx------ 4 root root 4096 Oct 24 14:48 …
lrwxrwxrwx 1 root root 46 Jul 17 14:17 cert.pem -> …/…/archive/subdomain.stonethree.com/cert2.pem
lrwxrwxrwx 1 root root 47 Jul 17 14:17 chain.pem -> …/…/archive/subdomain.stonethree.com/chain2.pem
lrwxrwxrwx 1 root root 51 Jul 17 14:17 fullchain.pem -> …/…/archive/subdomain.stonethree.com/fullchain2.pem
lrwxrwxrwx 1 root root 49 Jul 17 14:17 privkey.pem -> …/…/archive/subdomain.stonethree.com/privkey2.pem
-rw-r–r-- 1 root root 543 May 3 14:50 README

&

root@subdomain:/# ls -al /etc/letsencrypt/archive/subdomain.stonethree.com-0001/
total 24
drwxr-xr-x 2 root root 4096 Oct 30 15:54 .
drwx------ 4 root root 4096 Aug 1 15:53 …
-rw-r–r-- 1 root root 2171 Aug 1 15:53 cert1.pem
-rw-r–r-- 1 root root 1647 Aug 1 15:53 chain1.pem
-rw-r–r-- 1 root root 3818 Aug 1 15:53 fullchain1.pem
-rw-r–r-- 1 root root 1708 Aug 1 15:53 privkey1.pem

Any help would be much appreciated.

Thanks.


#8

Yeah, that’s wrong. Looks like you (or someone) renamed some directories under /etc/letsencrypt/live/.

I’d start by renaming them back - presumably:

cd /etc/letsencrypt/live
mv subdomain.stonethree.com subdomain.stonethree.com-0001
mv subdomain.stonethree.com.old subdomain.stonethree.com

Then run certbot certificates again. You should now have two certificates. Carefully check which domain names are included on each. Make sure your nginx configuration is pointed at the correct one. Then try the renewal again.


#9

2 posts were split to a new topic: Email says cert is expiring


#10

Hi,

Thanks for the update.

Now I’m getting this error below:

root@subdomain:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/subdomain.stonethree.com.conf

target /etc/letsencrypt/archive/subdomain.stonethree.com-0001/cert1.pem of symlink /etc/letsencrypt/live/subdomain.stonethree.com/cert.pem does not exist
Renewal configuration file /etc/letsencrypt/renewal/subdomain.stonethree.com.conf is broken. Skipping.


No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/subdomain.stonethree.com.conf (parsefail)

0 renew failure(s), 1 parse failure(s)

After following your steps mentioned in your previous reply.

Thanks.


#11

Hmm, that’s surprising. Could you post the current output of the ls commands after that? And also the content of the file /etc/letsencrypt/renewal/subdomain.stonethree.com.conf


#12

Hi,

It’s kinda odd but here is the content of the file:

root@subdomain:~# ls /etc/letsencrypt/renewal/subdomain.stonethree.com.conf
/etc/letsencrypt/renewal/subdomain.stonethree.com.conf

Don’t think this is what you meant with the “ls” output after that, if you could verify what you need?

root@subdomain:~# cat /etc/letsencrypt/renewal/subdomain.stonethree.com.conf

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/subdomain.stonethree.com
cert = /etc/letsencrypt/live/subdomain.stonethree.com/cert.pem
privkey = /etc/letsencrypt/live/subdomain.stonethree.com/privkey.pem
chain = /etc/letsencrypt/live/subdomain.stonethree.com/chain.pem
fullchain = /etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
installer = nginx
authenticator = nginx

What I also did is replace the actual name with subdomain, just for the conversation purposes.

Please let me know.

Thanks.


#13

Hi,

Played around with some settings (moved around the files as it should be, in the /renewal & /live folders, looks like it’s fixed now:

root@subdomain:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/subdomain.stonethree.com.conf

Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem expires on 2019-01-29 (skipped)
No renewals were attempted.

root@subdomain:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: subdomain.stonethree.com
Domains: subdomain.stonethree.com
Expiry Date: 2019-01-29 07:00:52+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/subdomain.stonethree.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/subdomain.stonethree.com/privkey.pem

Figured out it can’t be that difficult.

Thanks again for all your help, I really do appreciate it.


#14

Your https://docrepo.stonethree.com/ uses already this certificate. So there is nothing to do.


#15

Hi,

All sorted, thanks for all you assistance.

Thanks.


#16

Hi,

Can I ask something to this again? It’s another error I get but to a different VM.

root@label:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/label.stonethree.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for label.stonethree.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (label.stonethree.com) from /etc/letsencrypt/renewal/label.stonethree.com.conf produced an unexpected error: Failed authorization procedure. label.stonethree.com (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/label.stonethree.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/label.stonethree.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: label.stonethree.com
    Type: connection
    Detail: Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Please let me know.

Thanks.


#17

It’s using the old tls-sni-01 challenge. It may be possible to make it work, but there’s not much point as it’s deprecated and will be removed soon. The latest version of certbot uses the alternative http-01 challenge by default; maybe you need to upgrade your certbot?

If you’re stuck with an older version for some reason, you can force it to use the http-01 challenge by adding the option: --preferred-challenges http-01

If your certbot is too old even for that, you can use --webroot and specify a webroot path with -w.

Just changing the challenge type may be enough to fix the problem, but if it’s not, please post the new error you get.

Also btw:

This indicates you probably used certonly when obtaining the cert originally, so it won’t automatically reload nginx for you when it renews. If you didn’t intend that, you can change it by adding the --installer nginx option.

As usual, you only need to specify these options once, then they will be saved in the renewal configuration file and used automatically next time (assuming you succeed in obtaining a renewed certificate).


#18

Hi,

Thanks, looks like it has been fixed but not resolved.

root@label:/etc/letsencrypt/renewal# certbot renew --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/label.stonethree.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for label.stonethree.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/label.stonethree.com/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/label.stonethree.com/fullchain.pem (success)


Status:

root@label:/etc/letsencrypt/renewal# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: label.stonethree.com
Domains: label.stonethree.com
Expiry Date: 2018-11-15 12:18:41+00:00 (VALID: 4 hour(s))
Certificate Path: /etc/letsencrypt/live/label.stonethree.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/label.stonethree.com/privkey.pem


I did restart nginx but still the same?

Thanks.


#19

Hi,

Do you mind to share us the content of /etc/letsencrypt/live/label.stonethree.com/fullchain.pem? ( Just the first certificate block)

Thank you


#20

This now looks a lot like the problem you had with the other VM: the certificate is renewed successfully, but certbot still sees the old version. As before, this is most likely a sign that the symbolic link structure has been disrupted. Previously this turned out to be because the directories had been renamed - can you check if that’s the case here as well?