Renewing Certificate but I still get old expiry date (Urgent!)

#1

I renewed the certificate using the dry run command. I’ve mentioned the output of the command below - but when I check using SSLshopper or any SSL checking tool the expiry date still remains 9 days.

How do I resolve it?

My domain is: sxhssatyanagar.in

I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/sxhssatyanagar.in.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sxhssatyanagar.in
http-01 challenge for www.sxhssatyanagar.in
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/sxhssatyanagar.in/fullchain.pem

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

#2

This doesn’t look like the full output of certbot when --dry-run is used. It should also give you a paragraph, congratulating you of a successful test run and advising you to remove the --dry-run option, so you’ll get a real certificate.

#3

Oh, I see. Thank you for pointing that out.

I used this command now
certbot --apache certonly -n -d domain1.com to renew it.

and got the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sxhssatyanagar.in
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/sxhssatyanagar.in-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/sxhssatyanagar.in-0001/privkey.pem
    Your cert will expire on 2019-05-18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

But, I still don’t see the new expiry date when I check using SSLshopper

#4

That is not the command certbot renew --dry-run without the --dry-run!

Now you haven’t renewed the certificate, but generated a second “lineage” for the same domain.

You just have to run certbot renew to renew a certificate.

1 Like
#5

Thank you so much! I was confused with the commands. Won’t forget it. Cheers! :slight_smile: It worked.

1 Like
#6

Please read the official documentation of certbot here: https://certbot.eff.org/docs/using.html

Note: having two certificates (sxhssatyanagar.in as wel as sxhssatyanagar.in-0001 could “confuse” your Apache. It probably only uses one of those certificate. Which one? I have no idea. Removing the second (‘extra’) sxhssatyanagar.in-0001 certificate lineage could lead to Apache not working any longer, because it tries to load the certificates of the sxhssatyanagar.in-0001 lineage.

1 Like
#7

Noted. I checked my virtual host configuration. It points to the original one (checked the path of the key).

1 Like
#8

Hi @ankushdas9

that’s impossible. --dry-run always creates a test certificate and doesn’t install it (because it’s not valide).

So if you use --dry-run, you can’t see a new certificate.

#9

Yep. I got it now. Didn’t read the documentation carefully.

closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.