Renewing create a certificate doesn't change the date

Hi everyone. I’m currently struggling to renew my certificate because each time I launch the command it renews it without changing the expiration date. The output shows that it worked, except the date is today.

My domain is: *.pandore.xyz

I ran this command: certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.pandore.xyz --manual --preferred-challenges dns-01 certonly --force-renewal

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
[…]

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/pandore.xyz/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/pandore.xyz/privkey.pem
    Your cert will expire on 2019-05-25. […]

My web server is (include version): nginx-1.12.2-2

The operating system my web server runs on is (include version): CentOS 7.6.1810

The version of my client is: 0.31.0

because you use certonly option, it makes cert, but it doesn’t install certificate to your nginx. did you try reload your nginx? (sudo systemctl reload nginx),
if it doesn’t fix , try edit your nginx config to look the certificate it need.

1 Like

Hi @Soraphiroth

you have created 5 identical certificates, that hits the limit ( https://check-your-website.server-daten.de/?q=pandore.xyz#ct-logs ).

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
931051309 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-25 20:33:44 2019-08-23 20:33:44 *.pandore.xyz
1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-06-01 20:07:36
931051003 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-25 20:33:32 2019-08-23 20:33:32 *.pandore.xyz
1 entries duplicate nr. 4
931027886 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-25 20:08:35 2019-08-23 20:08:35 *.pandore.xyz
1 entries duplicate nr. 3
931027518 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-25 20:08:14 2019-08-23 20:08:14 *.pandore.xyz
1 entries duplicate nr. 2
931026867 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-25 20:07:36 2019-08-23 20:07:36 *.pandore.xyz
1 entries duplicate nr. 1
895787248 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-05 16:44:05 2019-08-03 16:44:05 *.pandore.xyz
1 entries

And certonly doesn’t install something, so your website uses the expired certificate:

CN=*.pandore.xyz
	24.02.2019
	25.05.2019
1 days expired	*.pandore.xyz - 1 entry

Please don’t use --force-renewal, that’s often bad.

Use

certbot *.pandore.xyz

or

certbot -i nginx *.pandore.xyz

then Certbot should find the certificate and should ask, if you want to install it.

If not, install it manual.

PS: Your site doesn’t work, you have direct loops https -> https. Looks like a wrong redirect (not only port 80).

This makes it look like certbot is confused about your certificates. What’s the output of certbot certificates and ls -lR /etc/letsencrypt?

Thanks for your replies.

My domain is perfectly fine. It doesnt work actually because my certificate expired. I hit the 5 per week limit while trying to solve my problem.

Here’s my outputs:

[root@proxy ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: pandore.xyz
Domains: *.pandore.xyz
Expiry Date: 2019-05-25 14:38:32+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/pandore.xyz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pandore.xyz/privkey.pem


[root@proxy ~]# ls -lR /etc/letsencrypt/
/etc/letsencrypt/:
total 36
drwx------ 3 root root 4096 Feb 24 12:07 accounts
drwx------ 4 root root 4096 Feb 24 15:38 archive
drwxr-xr-x 2 root root 4096 May 25 22:07 csr
drwx------ 2 root root 4096 May 25 22:07 keys
drwx------ 4 root root 4096 Feb 24 15:40 live
-rw-r–r-- 1 root root 1143 Feb 24 12:07 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 May 25 21:37 renewal
drwxr-xr-x 5 root root 4096 Feb 24 12:07 renewal-hooks
-rw-r–r-- 1 root root 424 Feb 24 12:07 ssl-dhparams.pem

/etc/letsencrypt/accounts:
total 4
drwx------ 3 root root 4096 Feb 24 12:07 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 4
drwx------ 3 root root 4096 Feb 24 12:07 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 4
drwx------ 2 root root 4096 Feb 24 12:07 15723e13619371d1cce003f7d53fee05

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/15723e13619371d1cce003f7d53fee05:
total 12
-rw-r–r-- 1 root root 77 Feb 24 12:07 meta.json
-r-------- 1 root root 1632 Feb 24 12:07 private_key.json
-rw-r–r-- 1 root root 78 Feb 24 12:07 regr.json

/etc/letsencrypt/archive:
total 8
drwxr-xr-x 2 root root 4096 May 25 21:33 pandore.xyz
drwxr-xr-x 2 root root 4096 Feb 24 15:38 pandore.xyz-0001

/etc/letsencrypt/archive/pandore.xyz:
total 32
-rw-r–r-- 1 root root 1903 Feb 24 12:19 cert1.pem
-rw-r–r-- 1 root root 1907 May 25 21:33 cert2.pem
-rw-r–r-- 1 root root 1647 Feb 24 12:19 chain1.pem
-rw-r–r-- 1 root root 1647 May 25 21:33 chain2.pem
-rw-r–r-- 1 root root 3550 Feb 24 12:19 fullchain1.pem
-rw-r–r-- 1 root root 3554 May 25 21:33 fullchain2.pem
-rw------- 1 root root 1704 Feb 24 12:19 privkey1.pem
-rw------- 1 root root 1700 May 25 21:33 privkey2.pem

/etc/letsencrypt/archive/pandore.xyz-0001:
total 16
-rw-r–r-- 1 root root 1907 Feb 24 15:38 cert1.pem
-rw-r–r-- 1 root root 1647 Feb 24 15:38 chain1.pem
-rw-r–r-- 1 root root 3554 Feb 24 15:38 fullchain1.pem
-rw------- 1 root root 1704 Feb 24 15:38 privkey1.pem

/etc/letsencrypt/csr:
total 64
-rw-r–r-- 1 root root 928 Feb 24 12:08 0000_csr-certbot.pem
-rw-r–r-- 1 root root 920 Feb 24 12:18 0001_csr-certbot.pem
-rw-r–r-- 1 root root 924 Feb 24 14:50 0002_csr-certbot.pem
-rw-r–r-- 1 root root 924 Feb 24 14:50 0003_csr-certbot.pem
-rw-r–r-- 1 root root 924 Feb 24 15:29 0004_csr-certbot.pem
-rw-r–r-- 1 root root 924 Feb 24 15:35 0005_csr-certbot.pem
-rw-r–r-- 1 root root 940 Feb 24 15:42 0006_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 5 17:41 0007_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 5 17:44 0008_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 21:07 0009_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 21:08 0010_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 21:08 0011_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 21:33 0012_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 21:33 0013_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 21:37 0014_csr-certbot.pem
-rw-r–r-- 1 root root 924 May 25 22:07 0015_csr-certbot.pem

/etc/letsencrypt/keys:
total 64
-rw------- 1 root root 1704 Feb 24 12:08 0000_key-certbot.pem
-rw------- 1 root root 1704 Feb 24 12:18 0001_key-certbot.pem
-rw------- 1 root root 1704 Feb 24 14:50 0002_key-certbot.pem
-rw------- 1 root root 1704 Feb 24 14:50 0003_key-certbot.pem
-rw------- 1 root root 1704 Feb 24 15:29 0004_key-certbot.pem
-rw------- 1 root root 1704 Feb 24 15:35 0005_key-certbot.pem
-rw------- 1 root root 1704 Feb 24 15:42 0006_key-certbot.pem
-rw------- 1 root root 1704 May 5 17:41 0007_key-certbot.pem
-rw------- 1 root root 1708 May 5 17:44 0008_key-certbot.pem
-rw------- 1 root root 1704 May 25 21:07 0009_key-certbot.pem
-rw------- 1 root root 1704 May 25 21:08 0010_key-certbot.pem
-rw------- 1 root root 1704 May 25 21:08 0011_key-certbot.pem
-rw------- 1 root root 1708 May 25 21:33 0012_key-certbot.pem
-rw------- 1 root root 1700 May 25 21:33 0013_key-certbot.pem
-rw------- 1 root root 1704 May 25 21:37 0014_key-certbot.pem
-rw------- 1 root root 1704 May 25 22:07 0015_key-certbot.pem

/etc/letsencrypt/live:
total 12
drwxr-xr-x 2 root root 4096 May 25 21:33 pandore.xyz
drwxr-xr-x 2 root root 4096 Feb 24 12:19 pandore.xyz.bckp
-rw-r–r-- 1 root root 740 Feb 24 12:19 README

/etc/letsencrypt/live/pandore.xyz:
total 4
lrwxrwxrwx 1 root root 40 May 25 21:33 cert.pem -> …/…/archive/pandore.xyz-0001/cert1.pem
lrwxrwxrwx 1 root root 41 May 25 21:33 chain.pem -> …/…/archive/pandore.xyz-0001/chain1.pem
lrwxrwxrwx 1 root root 45 May 25 21:33 fullchain.pem -> …/…/archive/pandore.xyz-0001/fullchain1.pem
lrwxrwxrwx 1 root root 43 May 25 21:33 privkey.pem -> …/…/archive/pandore.xyz-0001/privkey1.pem
-rw-r–r-- 1 root root 692 Feb 24 15:38 README

/etc/letsencrypt/live/pandore.xyz.bckp:
total 4
lrwxrwxrwx 1 root root 35 Feb 24 12:19 cert.pem -> …/…/archive/pandore.xyz/cert1.pem
lrwxrwxrwx 1 root root 36 Feb 24 12:19 chain.pem -> …/…/archive/pandore.xyz/chain1.pem
lrwxrwxrwx 1 root root 40 Feb 24 12:19 fullchain.pem -> …/…/archive/pandore.xyz/fullchain1.pem
lrwxrwxrwx 1 root root 38 Feb 24 12:19 privkey.pem -> …/…/archive/pandore.xyz/privkey1.pem
-rw-r–r-- 1 root root 692 Feb 24 12:19 README

/etc/letsencrypt/renewal:
total 8
-rw-r–r-- 1 root root 577 Feb 24 15:38 pandore.xyz-0001.conf.bckp
-rw-r–r-- 1 root root 517 May 25 21:33 pandore.xyz.conf

/etc/letsencrypt/renewal-hooks:
total 12
drwxr-xr-x 2 root root 4096 Feb 24 12:07 deploy
drwxr-xr-x 2 root root 4096 Feb 24 12:07 post
drwxr-xr-x 2 root root 4096 Feb 24 12:07 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0

/etc/letsencrypt/renewal-hooks/post:
total 0

/etc/letsencrypt/renewal-hooks/pre:
total 0

can you post what’s in your nginx config for that site?

Here’s my configuration:

server {
  server_name pandore.xyz *.pandore.xyz;
  return 301 https://$host$request_uri;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pandore.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pandore.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

#map $remote_addr $proxy_forwarded_elem {
    # IPv4 addresses can be sent as-is
    #~^[0-9.]+$          "for=$remote_addr";
    # IPv6 addresses need to be bracketed and quoted
    #~^[0-9A-Fa-f:.]+$   "for=\"[$remote_addr]\"";
    # Unix domain socket names cannot be represented in RFC 7239 syntax
    #default             "for=unknown";
}

#map $http_forwarded $proxy_add_forwarded {
    # If the incoming Forwarded header is syntactically valid, append to it
    #"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
    # Otherwise, replace it
    #default "$proxy_forwarded_elem";
}

#server  {
#  listen  80;
#  server_name domo.pandore.xyz;
#  return 301 https://$host$request_uri;
#  location / {
#    proxy_pass http://x.x.x.x;
#  }
#}
server {
  listen 443 ssl;
  server_name domo.pandore.xyz;
  location / {
    proxy_pass http://x.x.x.x;
    proxy_set_header Host $host;
  }
}

server {
  listen 443 ssl;
  server_name cloud.pandore.xyz;
  location / {
    proxy_pass https://x.x.x.x;
    proxy_set_header Host $host;
  }
}

server {
    if ($host = pandore.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name pandore.xyz *.pandore.xyz;
  return 404; # managed by Certbot
}

server {
  listen 443 ssl;
  server_name mine.pandore.xyz;
  location / {
    proxy_pass http://x.x.x.x;
    proxy_set_header Host $host;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  X-Forwarded-Host $remote_addr;
    proxy_set_header  Forwarded $proxy_add_forwarded;
  }
}

did you try restart nginx?

Yes I tried, nothing happened.

enter /etc/letsencrypt/archive/pandore.xyz folder and overwrite each file that end with 1 to same name but end with 2

like cp cert2.pem cert1.pem

it looks like it made certs but symlink for live didn’t work properly…

@schoen do you have any idea why would certbot failed to change symlink on live folder to newest version?

I changed my *2.pem files to *1.pem and restarted nginx, but there’s still no change.

you some reason have two setting for *pandora.xyz
remove /etc/letsencrypt/live/pandore.xyz and rename(move) /etc/letsencrypt/live/pandore.xyz.bckp to /etc/letsencrypt/live/pandore.xyz, and delete /etc/letsencrypt/archive/pandore.xyz-0001 entirely

It seems strane but… it works!? I don’t remember exactly why I created this backup (maybe because I started by declaring every subdomain I have but I changed my mind to *.pandore.xyz) but replacing the live folder by the backup worked, my certificate is valid and declared for .pandore.xyz.

Maybe certbot was replacing the files in pandore.xyz.bckp and not pandore.xyz?

Where did the .bckp directories come from? Certbot didn’t create them (or, at least, I haven’t seen it do this on any system I run certbot on).

As I said I created it when I was modifying my old settings.