Renewing an expired certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

nostalgiacomputing.com
I ran this command:
certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d “*.nostalgiacomputing.com”

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for nostalgiacomputing.com

Please deploy a DNS TXT record under the name
_acme-challenge.nostalgiacomputing.com with the following value:

1XgraYz00NZSzUoJdYrSl5gionJ41QqgPjV-LO8g8oY

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/nostalgiacomputing.com-0002/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/nostalgiacomputing.com-0002/privkey.pem
  Your cert will expire on 2020-08-08. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  “certbot renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):
CentoOS 7
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0

I was a couple of days late in renewing, the renewal seems to have worked, but when I access www.nostalgiacomputing.com in chrome or curl, I get a certificate expired notice.

Does it some time for the certificate renewal to propagate?

Hi @carylewis

if you use certonly, the new certificate is created, but not installed.

Minimal a restart of your webserver is required. Did you restart?

PS: Your certificate looks wrong because

-d “*.nostalgiacomputing.com”

you have a certificate that doesn't work with https://nostalgiacomputing.com/.

Create one certificate with two domain names:

-d “*.nostalgiacomputing.com” -d “nostalgiacomputing.com”

That works with the main domain and with every subdomain.

Thanks for the unbelievably fast reply!

Before reading your answer, I restarted apache and that solved the issue, doh!

You can add a “graceful restart” command to your certbot renewal request and have it triggered only when a cert is actually renewed (not just every time it checks).
Look into: --deploy-hook

Automation!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.