Renewed Certificate and My Site is still Not Secure

I have renewed several times, the same way, but this is the first time it has failed. The site is hosted on AWS Lightsail.

My domain is: grita.com

I ran this command:
DOMAIN=grita.com
WILDCARD=*.$DOMAIN
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
I deployed the specified DNS TXT record value under _acme-challenge.grita.com

It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/grita.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/grita.com/privkey.pem
Your cert will expire on 2023-10-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"

My web server is (include version):
No idea. The only information I see is:
512 MB RAM, 1 vCPU, 20 GB SSD
WordPress
Virginia, Zone A (us-east-1a)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
AWS Lightsail hosted Wordpress.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Your wildcard cert renewed fine. Your server is just not using it.

See that cert here at crt.sh (link here)

Looks like you might have two kinds of cert renewals active. The manual one for the wildcard and another non-wildcard (maybe with bncert?).

Your server is using the one from Mar9 right now

image1653×765 133 KB

Do you actually NEED a wildcard certificate?

If so, do you really need to use the --manual authenticator? I see your domain is hosted by AWS too. You might want to consider using the certbot-dns-route53 authenticator to automate the dns-01 challenge for getting a wildcard certificate. But not requiring a wildcard certificate is usually easier.

@SVEncryptLets When using the certonly subcommand without a --deploy-hook to reload the webserver, you must manually reload the webserver so it uses the most recently issued certificate. (Assuming the webserver is configured to directly use the files in the /live/ directory.)

Lightsail has its own panel for managing domain names. It overlays Route53 but I am fairly sure it has a different API to manage compared to standard Route53.

Oh, I just saw ns-1601.awsdns-08.co.uk as one of the nameservers of the domain, so I assumed Route53 would work..

I should have mentioned I have very little idea what I'm doing. I installed and have renewed (several times) by following steps published in a tutorial. It was strange that I received a 'certificate expiration' email saying my cert would expire on 2023-07-31 but I noticed the site was already "Not Secure" today.

Would it be possible for someone to give me the specific shell commands I need to use to fix this?

These are good AWS docs that explain using bncert for Lightsail / Wordpress

It will not be a wildcard cert

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-enabling-https-on-wordpress

That will be much easier unless for some reason you absolutely need a wildcard

Thank you. I will review and try again.

Thank you! the bncert approach worked! Much appreciated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.