Renewal not reflecting on the WWW


#1

Hi,

I have a weird issue. When I run the command to renew my certificates (and when that didn’t work; the command below to issue a NEW certificate) I get a success result. When I run certbot certificates, the expiry date entry is: 2019-03-10 08:40:32+00:00 (VALID: 89 days) . HOWEVER, When I load my web application OR when I check on https://www.ssllabs.com/ssltest/analyze.html?d=members.co.ke or https://www.sslshopper.com/ssl-checker.html#hostname=members.co.ke and others, the certificate is show to be expired.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: members.co.ke

I ran this command: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --preferred-challenges=dns --email info@touchinspiration.com --manual -d ‘members.co.ke, *.members.co.ke’

It produced this output: - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/members.co.ke/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/members.co.ke/privkey.pem
Your cert will expire on 2019-03-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic x86_64)

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO


#2

Hi @SirBertly

your certificate is expired (checked with https://check-your-website.server-daten.de/?q=members.co.ke - own online tool):

Domainname Http-Status redirect Sec. G
http://members.co.ke/
142.93.76.161 301 https://members.co.ke/ 0.200 A
http://www.members.co.ke/
142.93.76.161 301 https://www.members.co.ke/ 0.196 A
https://members.co.ke/
142.93.76.161 200 2.323 N
Certificate error: RemoteCertificateChainErrors
https://www.members.co.ke/
142.93.76.161 200 2.090 N
Certificate error: RemoteCertificateChainErrors

|CN=members.co.ke|01.09.2018|30.11.2018
expired|*.members.co.ke, members.co.ke - 2 entries

If you use certonly

you have to install your certificate manual.


#3

Yes. That’s exactly what I’m saying. I have renewed it multiple times, but it fails to reflect. Look at what running certbot certificates gives me:
image

:point_up_2::point_up_2:Expiry Date: 2019-03-10 08:40:32+00:00 (VALID: 89 days):point_up_2::point_up_2:


#4

PS: The certs have been installed to the correct locations:

image


#5

Did you restart / reload your server?


#6

The cert location matches the config shown.

If you have already restarted/reloaded your web server, then there must be another vhost config that is catching the www requests.
So, step #1: Make sure you restarted/relodaed the web server.
Step #2: Search through all vhost configs for overlapping domains:
grep -Eri 'server_name|server_alias|ssl_cert|listen' /etc/nginx/


#7

Thanks for this. The nginx server needed to be restarted but it wasn’t restarting because the options-ssl-nginx.conf and ssl-dhparams.pem files were missing. Don’t know how that happened, but I copied them over from another server and restarted the server and we’re good now. Thanks for the lead.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.