Renewing on Nginx with updated Certbot but still expired certificate


#1

I just updated to the latest version of Certbot! (I love you guys)

I had an expired certificate, but couldn’t seem to update it succesfully.

I’m able to successfully install a new certificate:

~/.local/share/letsencrypt/bin$ ~/.local/share/letsencrypt/bin/certbot-auto certonly \\
 --webroot -w /etc/letsencrypt/webrootauth -d usfoodcoop.org -d staging.usfoodcoop.org
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/usfoodcoop.org/fullchain.pem

But Nginx seems to still be serving the old certificate at https://staging.usfoodcoop.org:

staging.usfoodcoop.org uses an invalid security certificate. The certificate expired on August 12, 2016 at 9:23 AM. The current time is August 26, 2016 at 6:32 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE
```staging.usfoodcoop.org uses an invalid security certificate. The certificate expired on August 12, 2016 at 9:23 AM. The current time is August 26, 2016 at 6:32 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Or maybe I’m misunderstanding how the certificates work. Is there a central database somewhere that the browsers check with?
I tried moving the old /etc/letsencrypt/ directory and creating a new directory:

mkdir -p /etc/letsencrypt/webrootauth

Ran the above cert command and now there are other directories:

drwx------ 3 root root 4096 Aug 26 16:22 accounts
drwx------ 3 root root 4096 Aug 26 16:26 archive
drwxr-xr-x 2 root root 4096 Aug 26 16:26 csr
drwx------ 2 root root 4096 Aug 26 16:26 keys
drwx------ 3 root root 4096 Aug 26 16:26 live
drwxr-xr-x 2 root root 4096 Aug 26 16:26 renewal
drwxr-xr-x 3 root root 4096 Aug 26 16:26 webrootauth

But Firefox is still getting the old certificate. I know it’s my ignorance at fault and am hoping someone can clue me in. Is there an Nginx config that might be pointing to the old certificate? I looked and there are only four .pem files on the server.

$ sudo find / -name "fullchain.pem"
/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/tests/testdata/live/sample-renewal/fullchain.pem
/home/michael/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/tests/testdata/live/sample-renewal/fullchain.pem
/opt/letsencrypt/certbot/tests/testdata/live/sample-renewal/fullchain.pem
/etc/letsencrypt/live/staging.usfoodcoop.org/fullchain.pem

(Plus now this one: /etc/oldletsencrypt/live/staging.usfoodcoop.org/fullchain.pem).

Enlighten me?


#2

Asking the obvious question - did you restart / reload nginx so that it re-reads the config and gets the new certificate ?

if restarting nginx doesn’t work - what location is defined for the certs in the nginx config ? (typically in /etc/nginx… depending on your setup)


#3

See? I knew it was something obvious.

I hadn’t remembered to restart nginx.

No such file or directory:fopen('/etc/letsencrypt/live/staging.usfoodcoop.org/fullchain.pem','r')

Updated the nginx sites-enabled config file:

ssl_certificate      /etc/letsencrypt/live/usfoodcoop.org/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/usfoodcoop.org/privkey.pem;

Now it’s working (after nginx restart).

Thanks a lot, man.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.