Renewed Certificate is Not Working

MichaelCropper · May 2, 2016, 12:32pm

Hi,

Managed to install Let’s Encrypt a couple of months ago. Set up CRON Job to automate the renewal, it failed the first time.

So I’ve just updated this manually using the command;

./letsencrypt-auto renew

Which has successfully renewed the certificate. When checking in the following folder;

/etc/letsencrypt/live/mydomain.com

And running the commans;

pico cert.pem

Then decoding the certificate details in this file using this tool, https://www.sslshopper.com/certificate-decoder.html

The certificate is valid, it was created yesterday and expires in 90 days.

Yet I’m getting the browser still showing me the old certificate when viewing the website in question.

So I thought this may be related to the certificate needing to be installed again, so I ran the command;

./installssl.pl mydomain.dom

And the following error was flagged;

{“metadata”:{“version”:1,“output”:{“raw”:“Certificate verification failed!\nCertificate verified:\nstdin: CN = mydomain.com\nerror 20 at 0 depth lookup:unable to get local issuer certificate\n\n\n”},“result”:0,“command”:“installssl”,“reason”:“Certificate verification failed!\nCertificate verified:\nstdin: CN = mydomain.com\nerror 20 at 0 depth lookup:unable to get local issuer certificate\n\n\n”}}root@178 [~]#

I’m completely lost about how to resolve this. Any ideas? Currently the domain in question is unusable due to the security warnings from the browser whenever someone tries to access it.

Regards,
Michael

pfg · May 2, 2016, 12:47pm

This isn't a script provided by the client. What does this do?

My best guess is that your web server configuration is not actually pointing to /etc/letsencrypt/live/mydomain.com/cert.pem etc., but rather some old copy of that file at some other path. This is not something the renew script can do for you automatically - you'll need to script that bit yourself, or point your web server directly to the files in /etc/letsencrypt/live/mydomain.com/cert.pem.

Note that you'll also have to reload your web server in order for the new certificate to be used, so make sure you add that step to your script as well if it's missing.

Feel free to post your web server config/scripts if you need any assistance!

MichaelCropper · May 2, 2016, 1:01pm

Thanks @pfg

The “./installssl.pl mydomain.com” script is a copy of this - https://bitbucket.org/webstandardcss/lets-encrypt-for-cpanel-centos-6.x

In the end this wasn’t a problem with Let’s Encrypt. Instead, the installed Certificate in cPanel account for the domain.com needed updating with the newly generated certificate details.

It looks like when I originally installed this, I didn’t need to do this bit manually, the above script automated that part but isn’t capable of doing the renewal automation.

All sorted.

Thanks
Michael