Renewal not being updated on server

Today it looked like the certificate expired on the site, and I had to force-renew it, because it didnt auto-renew.
Now, when I run certbot certificates I get the expiry in november
Expiry Date: 2019-11-13 20:52:52+00:00 (VALID: 89 days)

But looking at the certificate on a browser, it expires on october 14

My domain is:
ecolicua.com
I ran this command:

It produced this output:
certbot --force-renew
My web server is (include version):
nginx 1.10.3
The operating system my web server runs on is (include version):
Ubuntu 16
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31

Is it possible that you are not using the nginx installer with Certbot, so it doesn’t reload your server after issuing/renewing?

What’s the contents of:

/etc/letsencrypt/renewal/ecolicua.com.conf

I tried that, and using different browsers. You can check on the site what expiry you see.

/etc/letsencrypt/renewal/ecolicua.com.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/ecolicua.com
cert = /etc/letsencrypt/live/ecolicua.com/cert.pem
privkey = /etc/letsencrypt/live/ecolicua.com/privkey.pem
chain = /etc/letsencrypt/live/ecolicua.com/chain.pem
fullchain = /etc/letsencrypt/live/ecolicua.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 9ec22bee558eacc361a3c6e87ffe2996
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory

Usually when people use Certbot with nginx, Certbot applies the new certificate to the nginx configuration and reloads nginx for you. Typically, this looks like:

[renewalparams]
authenticator = nginx
installer = nginx
...

As you can see in your case, you’re missing the installer line.

So your Certbot has been renewing your certificate, but failing to actually apply it to nginx. So nginx keeps trucking on with the old certificate, until it is reloaded.

This also explains why you see the October certificate (because your Certbot did renew automatically, but it didn’t reload nginx. Then when you force-renewed, the authenticator reloaded nginx to authenticate for a new certificate … resulting in the October certificate being loaded. But the November certificate was not loaded because, once again, there was no post-renewal reload of nginx).

If you manually configured your certificate in the nginx configuration, you could add the following line to ensure that nginx is reloaded after renewals:

renew_hook = service nginx reload

If Certbot installed the certificate for you, you should add the installer line.

Edit: Changed deploy_hook to renew_hook - I got the name wrong.

1 Like

This could be a likely case of running Certbot with certonly (I would love to find out more about what’s inspiring people to use Certbot this way, since it’s usually not the best choice for nginx or Apache users).

That did the trick, thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.