Renewal process problem

When you renew your certificate, you usually have to install it to install it to your webserver and reload your webserver for it to take effect.

Since that hasn’t happened, please answer every question below so we can give you relevant advice.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:rinex.org.rw

I ran this command:certbot certificates
It produced this output:getting these error:Found the following certs:
Certificate Name: rinex.org.rw
Domains: rinex.org.rw www.rinex.org.rw
Expiry Date: 2019-08-21 13:30:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/rinex.org.rw/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rinex.org.rw/privkey.pem

My web server is (include version): Apache/2.4.7 (Ubuntu)
The operating system my web server runs on is (include version):Ubuntu 14.04.5 LTS
My hosting provider, if applicable, is: i have access to the server.
I can login to a root shell on my machine (yes or no, or I don’t know):
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

the issue i have the certficate renewed in backend but it does applied to the browser.

Are you sure you are using Apache?

No Server header appears in your website’s responses, and as far as I know, that is not possible without modifying the Apache httpd source code.

If you are sure you are using Apache, then you can try determine which certificate file you are using, a well as reloading Apache:

grep -REi SSLCertificateFile /etc/apache2
apachectl graceful
1 Like

hello am getting these response:/etc/apache2/sites-enabled/rinex.org.rw-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/rinex.org.rw/cert.pem
/etc/apache2/sites-available/rinex.org.rw-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/rinex.org.rw/cert.pem

but the is nothing changed.

That looks okay.

Did apachectl graceful give any errors? Or no output.

Let’s confirm that Apache is actually the process listening on port 443:

netstat -tlnp | grep ":443"

and that cert.pem doesn’t have the old certificate (somehow):

openssl x509 -in /etc/letsencrypt/live/rinex.org.rw/cert.pem -noout -dates
1 Like

the apachectl graceful gives no output.
these command netstat -tlnp | grep ‘’’:443’ this gives these output:
tcp6 0 0 :::443 :::* LISTEN 2131/apache2
these command gives this output:
openssl x509 -in /etc/letsencrypt/live/rinex.org.rw/cert.pem -noout -dates
notBefore=May 23 13:30:43 2019 GMT
notAfter=Aug 21 13:30:43 2019 GMT

Hi @buregeya

there is your topic with the same informations:

No Apache header, you have already created some certificates, but you don't install your new certificate.

And you don't say how you have installed the last certificate.

What's your vHost configuration?

apachectl configtest
apachectl fullstatus
apachectl -S

That's a bit of a mystery. It does seem like it should already be working.

I would also try a hard restart of your Apache webserver, just in case graceful reload isn't effective:

service apache2 stop
killall -9 apache2
service apache2 start

these are my virtualhost:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin noc@ricta.org.rw
    ServerName rinex.org.rw
    ServerAlias www.rinex.org.rw
    DocumentRoot /var/www/rinex.org.rw/public_html
    #Redirect permanent / https://rinex.org.rw/

   <Directory /var/www/rinex.org.rw/public_html/>
     Options  FollowSymLinks
     AllowOverride All
     Require all granted
   </Directory>

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/rinex.error.log
    CustomLog ${APACHE_LOG_DIR}/rinex.access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =rinex.org.rw
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =rinex.org.rw
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    # RewriteEngine on
    # RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw
    # RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
#RewriteCond %{SERVER_NAME} =www.rinex.org.rw
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteEngine on
RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
RewriteCond %{SERVER_NAME} =www.rinex.org.rw
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

but i don’t understand what do you mean by No apache header.
i used the steps on the cetbot website .

am getting no changes…

There is no port 443 definition. What's the content of the 443 vHost?

There ( https://check-your-website.server-daten.de/?q=rinex.org.rw ):

Domainname Http-Status redirect Sec. G
http://rinex.org.rw/
196.49.7.181 200 1.104 H
http://www.rinex.org.rw/
196.49.7.181 200 1.104 H
https://rinex.org.rw/
196.49.7.181 200 2.500 I
https://www.rinex.org.rw/
196.49.7.181 200 2.476 I

is a running https. Use the "show header" box.

A standard Apache sends a Header

Server: Apache ...

Your Server doesn't send such a header. So it doesn't look like an Apache, instead something other.

Please: The complete output of

apachectl configtest
apachectl fullstatus
apachectl -S

the is another folder created after letsencrypt installation:
cat rinex.org.rw-le-ssl.conf

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin noc@ricta.org.rw
    ServerName rinex.org.rw
    ServerAlias www.rinex.org.rw
    DocumentRoot /var/www/rinex.org.rw/public_html
    #Redirect permanent / https://rinex.org.rw/

   <Directory /var/www/rinex.org.rw/public_html/>
     Options  FollowSymLinks
     AllowOverride All
     Require all granted
   </Directory>

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/rinex.error.log
    CustomLog ${APACHE_LOG_DIR}/rinex.access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =rinex.org.rw
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    #RewriteEngine on
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =rinex.org.rw
    #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    # RewriteEngine on
    # RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
    #RewriteCond %{SERVER_NAME} =www.rinex.org.rw
    # RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =rinex.org.rw [OR]
#RewriteCond %{SERVER_NAME} =www.rinex.org.rw
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/rinex.org.rw/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rinex.org.rw/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/rinex.org.rw/chain.pem

apachectl configtest: syntax ok
apachectl fullstatus: this is the output.
Apache Server Status for localhost (via 127.0.0.1)

Server Version: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.20 OpenSSL/1.0.1f
Server MPM: prefork
Server Built: Apr 3 2019 18:04:25


Current Time: Friday, 24-May-2019 09:46:41 CAT
Restart Time: Friday, 24-May-2019 09:23:37 CAT
Parent Server Config. Generation: 2
Parent Server MPM Generation: 1
Server uptime: 23 minutes 3 seconds
Server load: 0.00 0.01 0.05
Total accesses: 97 - Total Traffic: 1.5 MB
CPU Usage: u.49 s.13 cu0 cs0 - .0448% CPU load
.0701 requests/sec - 1120 B/second - 15.6 kB/request
1 requests currently being processed, 5 idle workers

W.__.…_…

Scoreboard Key:
“_” Waiting for Connection, “S” Starting up, “R” Reading Request,
“W” Sending Reply, “K” Keepalive (read), “D” DNS Lookup,
“C” Closing connection, “L” Logging, “G” Gracefully finishing,
“I” Idle cleanup of worker, “.” Open slot with no current process

Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-1 6472 0/1/14 _ 0.00 50 1 0.0 0.00 0.07 66.249.93.71 rinex.org.rw:443 GET /favicon.ico HTTP/1.1
1-1 6391 0/17/ W 0.36 0 0 0.0 0.17 0.20 127.0.0.1 localhost:80 GET /server-status HTTP/1.0
20
2-1 - 0/0/11 . 0.19 49 1 0.0 0.00 0.31 ::1 localhost:80 OPTIONS * HTTP/1.0
3-1 6471 0/0/7 _ 0.00 40 1 0.0 0.00 0.05 212.83.146.233 rinex.org.rw:443 NULL
4-1 6428 0/4/13 _ 0.00 47 0 0.0 0.00 0.16 51.15.191.81 localhost:80 NULL
5-1 - 0/0/9 . 0.00 48 1 0.0 0.00 0.42 ::1 localhost:80 OPTIONS * HTTP/1.0
6-1 6418 0/3/5 _ 0.07 51 106 0.0 0.03 0.03 66.249.93.68 rinex.org.rw:443 GET / HTTP/1.1
7-1 - 0/0/4 . 0.00 47 1 0.0 0.00 0.06 ::1 localhost:80 OPTIONS * HTTP/1.0
8-1 - 0/0/4 . 0.00 46 1 0.0 0.00 0.11 ::1 localhost:80 OPTIONS * HTTP/1.0
9-1 - 0/0/6 . 0.00 45 1 0.0 0.00 0.08 ::1 localhost:80 OPTIONS * HTTP/1.0
10-1 - 0/0/2 . 0.00 44 1 0.0 0.00 0.00 ::1 localhost:80 OPTIONS * HTTP/1.0
11-1 - 0/0/1 . 0.00 38 0 0.0 0.00 0.00 ::1 localhost:80 OPTIONS * HTTP/1.0
12-1 6488 0/1/1 _ 0.00 22 1 0.0 0.00 0.00 196.49.7.139 localhost:80 GET / HTTP/1.0


Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot


SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current entries: 2
subcaches: 32, indexes per subcache: 88
time left on oldest entries’ objects: avg: 245 seconds, (range: 244…246)
index usage: 0%, cache usage: 0%
total entries stored since starting: 20
total entries replaced since starting: 0
total entries expired since starting: 13
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 12 hit, 20 miss
total removes since starting: 0 hit, 0 miss

apachectl -S
VirtualHost configuration:
*:443 rinex.org.rw (/etc/apache2/sites-enabled/rinex.org.rw-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server localhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost akadomo.rw (/etc/apache2/sites-enabled/akadomo-rw.conf:1)
alias www.akadomo.rw
port 80 namevhost akadomo.co.rw (/etc/apache2/sites-enabled/akadomo.co.rw.conf:1)
alias www.akadomo.co.rw
port 80 namevhost wiki.ricta.org.rw (/etc/apache2/sites-enabled/dokuwiki.conf:1)
alias www.wiki.ricta.org.rw
port 80 namevhost rinex.org.rw (/etc/apache2/sites-enabled/rinex.org.rw.conf:1)
alias www.rinex.org.rw
port 80 namevhost rwnog.rw (/etc/apache2/sites-enabled/rwnog.rw.conf:1)
alias www.rwnog.rw
port 80 namevhost test.rw (/etc/apache2/sites-enabled/test.rw.conf:1)
alias www.test.rw
port 80 namevhost wordpress.ricta.org.rw (/etc/apache2/sites-enabled/wordpress.conf:1)
alias www.wordpress.ricta.org.rw
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

So the 443 vHost uses these files, the files have the correct certificate ( Renewal process problem - #7 by buregeya ) - but the certificate isn't online.

How did you installed your older certificates? Started end 2017.

these are the commands:
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot python-certbot-apache
certbot --apache -d rinex.org.rw -d www.rinex.org.rw
certbot certificates

Perhaps someone has changed the webserver, so that vHost isn't used.

What's the complete output of netstat? (without the grep filter)?

the output of netstat:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 rinex.org.rw:ssh 196.49.7.190:34874 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 DGRAM 8096 /var/spool/postfix/dev/log
unix 14 DGRAM 8091 /dev/log
unix 3 STREAM CONNECTED 8995
unix 3 STREAM CONNECTED 9019
unix 3 DGRAM 1863
unix 2 DGRAM 10025
unix 2 DGRAM 3141928
unix 3 STREAM CONNECTED 8005
unix 3 STREAM CONNECTED 1918 @/com/ubuntu/upstart
unix 2 STREAM CONNECTED 3060391
unix 3 STREAM CONNECTED 8964
unix 3 STREAM CONNECTED 8977
unix 3 STREAM CONNECTED 8948
unix 3 STREAM CONNECTED 7978
unix 3 STREAM CONNECTED 9003
unix 3 STREAM CONNECTED 8968
unix 3 STREAM CONNECTED 3065265 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 8989
unix 3 STREAM CONNECTED 9015
unix 3 STREAM CONNECTED 9007
unix 3 STREAM CONNECTED 3060030
unix 3 STREAM CONNECTED 8955
unix 3 STREAM CONNECTED 8985
unix 3 STREAM CONNECTED 8009 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 8961
unix 3 STREAM CONNECTED 8994
unix 3 STREAM CONNECTED 8982
unix 3 STREAM CONNECTED 8945
unix 3 STREAM CONNECTED 8006
unix 3 STREAM CONNECTED 1797
unix 3 STREAM CONNECTED 8965
unix 2 DGRAM 9758
unix 3 STREAM CONNECTED 8998
unix 3 STREAM CONNECTED 9024
unix 3 STREAM CONNECTED 8949
unix 3 STREAM CONNECTED 1752 @/com/ubuntu/upstart
unix 2 DGRAM 3065137
unix 3 STREAM CONNECTED 9012
unix 3 STREAM CONNECTED 8952
unix 3 STREAM CONNECTED 3060038
unix 3 STREAM CONNECTED 8973
unix 3 STREAM CONNECTED 9016
unix 3 STREAM CONNECTED 9027
unix 3 STREAM CONNECTED 9006
unix 3 STREAM CONNECTED 8956
unix 3 STREAM CONNECTED 8986
unix 3 STREAM CONNECTED 8983
unix 3 STREAM CONNECTED 8946
unix 3 STREAM CONNECTED 8070
unix 3 STREAM CONNECTED 8997
unix 3 STREAM CONNECTED 9021
unix 3 STREAM CONNECTED 8887
unix 3 STREAM CONNECTED 8962
unix 3 STREAM CONNECTED 3060029
unix 3 STREAM CONNECTED 8979
unix 3 STREAM CONNECTED 8939
unix 3 STREAM CONNECTED 9001
unix 3 STREAM CONNECTED 9025
unix 3 STREAM CONNECTED 1827
unix 2 DGRAM 3060393
unix 2 DGRAM 9669
unix 3 STREAM CONNECTED 8953
unix 3 STREAM CONNECTED 8941
unix 3 STREAM CONNECTED 8991
unix 3 STREAM CONNECTED 9013
unix 3 STREAM CONNECTED 8970
unix 3 STREAM CONNECTED 8942
unix 3 STREAM CONNECTED 8888 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 8376 @/com/ubuntu/upstart
unix 3 STREAM CONNECTED 9028
unix 3 STREAM CONNECTED 9009
unix 3 STREAM CONNECTED 8974
unix 3 STREAM CONNECTED 1981 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 8959
unix 2 DGRAM 3152634
unix 3 DGRAM 1864
unix 2 DGRAM 10042
unix 3 STREAM CONNECTED 9022
unix 3 STREAM CONNECTED 8980
unix 2 DGRAM 8916
unix 2 DGRAM 3060401
unix 3 STREAM CONNECTED 8967
unix 3 STREAM CONNECTED 9000
unix 3 STREAM CONNECTED 8976
unix 3 STREAM CONNECTED 8361
unix 3 STREAM CONNECTED 9010
unix 3 STREAM CONNECTED 8992
unix 3 STREAM CONNECTED 8971
unix 3 STREAM CONNECTED 9004
unix 3 STREAM CONNECTED 8958
unix 3 STREAM CONNECTED 8938
unix 2 DGRAM 9032
unix 3 STREAM CONNECTED 8988
unix 3 STREAM CONNECTED 9018
unix 2 DGRAM 8742

i created new apache and installed new certificates but it doesn’t applied on the browser .
what vhost am i using cause the one am using is this rinex.org.rw-le-ssl.conf (file created after letsencrypt installation).
and these one in sites-available: rinex.org.rw.conf

Please use the same parameters @_az has shared. So

tcp6 0 0 :::443 :::* LISTEN 2131/apache2

should be visible.

hello am getting these:
tcp6 0 0 :::443 :::* LISTEN 2131/apache2
IPv6 Destination Address not specified (and listening mode not selected)