Renewal not reflecting on the WWW

Hi,

I have a weird issue. When I run the command to renew my certificates (and when that didn’t work; the command below to issue a NEW certificate) I get a success result. When I run certbot certificates, the expiry date entry is: 2019-03-10 08:40:32+00:00 (VALID: 89 days) . HOWEVER, When I load my web application OR when I check on https://www.ssllabs.com/ssltest/analyze.html?d=members.co.ke or https://www.sslshopper.com/ssl-checker.html#hostname=members.co.ke and others, the certificate is show to be expired.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: members.co.ke

I ran this command: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --preferred-challenges=dns --email info@touchinspiration.com --manual -d ‘members.co.ke, *.members.co.ke’

It produced this output: - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/members.co.ke/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/members.co.ke/privkey.pem
Your cert will expire on 2019-03-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic x86_64)

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

Hi @SirBertly

your certificate is expired (checked with https://check-your-website.server-daten.de/?q=members.co.ke - own online tool):

|CN=members.co.ke|01.09.2018|30.11.2018
expired|*.members.co.ke, members.co.ke - 2 entries

If you use certonly

you have to install your certificate manual.

Yes. That’s exactly what I’m saying. I have renewed it multiple times, but it fails to reflect. Look at what running certbot certificates gives me:

Expiry Date: 2019-03-10 08:40:32+00:00 (VALID: 89 days)

PS: The certs have been installed to the correct locations:

Did you restart / reload your server?

The cert location matches the config shown.

If you have already restarted/reloaded your web server, then there must be another vhost config that is catching the www requests.
So, step #1: Make sure you restarted/relodaed the web server.
Step #2: Search through all vhost configs for overlapping domains:
grep -Eri 'server_name|server_alias|ssl_cert|listen' /etc/nginx/

Thanks for this. The nginx server needed to be restarted but it wasn’t restarting because the options-ssl-nginx.conf and ssl-dhparams.pem files were missing. Don’t know how that happened, but I copied them over from another server and restarted the server and we’re good now. Thanks for the lead.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.