Site still missing the cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot-auto renew

It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/ expires on 2020-05-08 (skipped)
/etc/letsencrypt/live/ expires on 2020-05-08 (skipped)
No renewals were attempted.

My web server is (include version):nginx

I renewed the cert but in the web is still missing it.
Renewal output

renew_before_expiry = 30 days

version = 1.2.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = nginx
account = 2eb7b708af1bf4815e897cfabe830f21
server =

Your renewal configuration file is ‘missing’ an installer line. Perhaps you’ve used certbot-auto with the certonly method, which gives you a renewable certificate, but needs you to install the cert manually into the webserver. In that case, after renewal, nginx isn’t reloaded automatically. Most users use a deploy-hook to reload their webserver after renewal.

1 Like

Hi @facildeanotar

you have created two certificate, one per domain name (non-www and www):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-02-08 2020-05-08 - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-02-08 2020-05-08 - 1 entries duplicate nr. 1

So install both with one command per domain name:

certbot --reinstall -i nginx
certbot --reinstall -i nginx

Certbot should find the matching certificate and should try to install it. Then restart your nginx.

I’m pretty sure reloading is the prefered method compaired to restarting. With reloading there is no downtime.

1 Like

Hi @JuergenAuer

Thanks a lot for your help.

I tried to run:
certbot --reinstall -i nginx
certbot --reinstall -i nginx

get the output: sudo: certbot: command not found

Can you help me?

Use your certbot-auto.

I’m sorry to ask a lot. But can’t still do it:

root@slidepipe-master:/etc/letsencrypt/live/ sudo certbot-auto -i nginx
/usr/local/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certbot: error: unrecognized arguments:

Yes, a -d flag is missing.

This is the output:

:/etc/letsencrypt/live# sudo certbot-auto certonly -n -d -d
/usr/local/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line.

@facildeanotar This isn’t going to work. From my perspective, it looks like you’re randomly mixing command line options without actually doing what @JuergenAuer recommends. For example, where does the certonly come from? That is exactly the opposite of -i nginx. Or the -n?

honestly Im lost. I trying to solve the question, but I cant

As your nginx currently only serves the www subdomain certificate, which isn’t very good if someone would try to connect to, I would suggest just getting a brand new certificate covering both your hostnames:

sudo certbot-auto --nginx -d -d
1 Like

how can I thank you?

worked!!! thank you so much!!!

a question: how do you know that my nginx just serves the subdomain certificate?

It did that, but now that you’ve got a certificate with both hostnames, there’s no certificate issue any longer. Also, your HTTP site redirected all non-encrypted traffic to the www subdomain with HTTPS, so normally users wouldn’t be bothered by a warning, as normally users would not end up to the HTTPS non-www hostname.

I tested the above with the command:

openssl s_client -connect -servername | openssl x509 -noout -text

Which shows the contents of the certificate provided by the webserver for the hostname earlier in the command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.