Today it looked like the certificate expired on the site, and I had to force-renew it, because it didnt auto-renew.
Now, when I run certbot certificates I get the expiry in november
Expiry Date: 2019-11-13 20:52:52+00:00 (VALID: 89 days)
But looking at the certificate on a browser, it expires on october 14
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot):
Is it possible that you are not using the nginx installer with Certbot, so it doesn’t reload your server after issuing/renewing?
What’s the contents of:
I tried that, and using different browsers. You can check on the site what expiry you see.
renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/ecolicua.com
cert = /etc/letsencrypt/live/ecolicua.com/cert.pem
privkey = /etc/letsencrypt/live/ecolicua.com/privkey.pem
chain = /etc/letsencrypt/live/ecolicua.com/chain.pem
fullchain = /etc/letsencrypt/live/ecolicua.com/fullchain.pem
Options used in the renewal process
account = 9ec22bee558eacc361a3c6e87ffe2996
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
Usually when people use Certbot with nginx, Certbot applies the new certificate to the nginx configuration and reloads nginx for you. Typically, this looks like:
authenticator = nginx
installer = nginx
As you can see in your case, you’re missing the
So your Certbot has been renewing your certificate, but failing to actually apply it to nginx. So nginx keeps trucking on with the old certificate, until it is reloaded.
This also explains why you see the October certificate (because your Certbot did renew automatically, but it didn’t reload nginx. Then when you force-renewed, the authenticator reloaded nginx to authenticate for a new certificate … resulting in the October certificate being loaded. But the November certificate was not loaded because, once again, there was no post-renewal reload of nginx).
If you manually configured your certificate in the nginx configuration, you could add the following line to ensure that nginx is reloaded after renewals:
renew_hook = service nginx reload
If Certbot installed the certificate for you, you should add the
renew_hook - I got the name wrong.
This could be a likely case of running Certbot with
certonly (I would love to find out more about what's inspiring people to use Certbot this way, since it's usually not the best choice for nginx or Apache users).
That did the trick, thanks!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.