Renewal email in conflict with server information


#1

I am receiving an email that my site’s certificate will expire soon. When I check the expiration on my server, it shows that it already automatically auto-renewed and is good for 77 days.

Is there a way to report this bug? I would like to get ahead of things instead of waiting 10 days for the certificate to expire and browsers to start throwing the insecure warning.


My domain is: insocmedasst.org

I ran this command:
sudo certbot certificates

It produced this output:

Certificate Name: insocmedasst.org
** Domains: insocmedasst.org www.insocmedasst.org**
** Expiry Date: 2018-11-06 05:01:18+00:00 (VALID: 77 days)**
** Certificate Path: /etc/letsencrypt/live/insocmedasst.org/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/insocmedasst.org/privkey.pem**

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes.


#2

See this page:

There is an older certificate for only “insocmedasst.org” – without “www.insocmedasst.org” – that is expiring August 29.

https://crt.sh/?id=497252967

As your Certbot output shows, you’ve replaced it with a certificate for both names. The Let’s Encrypt warning system doesn’t know if you’re still using the older certificate. If you’re not, you can just ignore the emails. (You’ll get one or two more before it expires.)

On a different subject, https://insocmedasst.org/ isn’t actually using your newest certificate! It’s still using the one that expires September 6, from before Certbot renewed it!

You need to reload Apache and configure a hook so that Certbot automatically reloads it in the future.


#3

Funny enough, I believe I’ve already done that. When I first learned to generate certificates. I didn’t know you could do multiple. So I re-rolled for both the www. and non-www on the new one. When I went to remove the old certificate - I accidentally moved the new one, which must have caused it to revert to the old certificate. Instead of deleting I moved it out of the directory, so I simply moved it back. It must have not synced back up upon doing so.

Restarting apache synced it back up with the correct certificate.

Is it safe to delete the old certificate if I have a new one with both the www. and non-www? Googling around a little while ago and seen mixed opinion on whether it was a good measure.


#4

It’s safe to delete it if you’re sure Apache (and anything else) isn’t using it anymore.

https://www.insocmedasst.org/ is using the certificate for both names (the old one before, the new one now) so it ought to be fine.

You can use e.g. “sudo certbot delete --cert-name www.example.com” to delete a certificate’s files. (The “--cert-name” argument uses the “Certificate Name” field displayed by Certbot and used in the /etc/letsencrypt/live/ paths.)


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.