Renewing Certificate but I still get old expiry date (Urgent!)


I renewed the certificate using the dry run command. I’ve mentioned the output of the command below - but when I check using SSLshopper or any SSL checking tool the expiry date still remains 9 days.

How do I resolve it?

My domain is:

I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


This doesn’t look like the full output of certbot when --dry-run is used. It should also give you a paragraph, congratulating you of a successful test run and advising you to remove the --dry-run option, so you’ll get a real certificate.


Oh, I see. Thank you for pointing that out.

I used this command now
certbot --apache certonly -n -d to renew it.

and got the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2019-05-18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

But, I still don’t see the new expiry date when I check using SSLshopper


That is not the command certbot renew --dry-run without the --dry-run!

Now you haven’t renewed the certificate, but generated a second “lineage” for the same domain.

You just have to run certbot renew to renew a certificate.

1 Like

Thank you so much! I was confused with the commands. Won’t forget it. Cheers! :slight_smile: It worked.

1 Like

Please read the official documentation of certbot here:

Note: having two certificates ( as wel as could “confuse” your Apache. It probably only uses one of those certificate. Which one? I have no idea. Removing the second (‘extra’) certificate lineage could lead to Apache not working any longer, because it tries to load the certificates of the lineage.

1 Like

Noted. I checked my virtual host configuration. It points to the original one (checked the path of the key).

1 Like

Hi @ankushdas9

that’s impossible. --dry-run always creates a test certificate and doesn’t install it (because it’s not valide).

So if you use --dry-run, you can’t see a new certificate.


Yep. I got it now. Didn’t read the documentation carefully.

closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.