[Solved] Auto-Renewed Cert not applied by WordPress

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thewyoming.net

I ran this command: N/A

It produced this output: N/A

My web server is (include version): linux

The operating system my web server runs on is (include version): linux Apache Version 2.2.34

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

Installed original certificate in WordPress using the plugin “WP Encrypt”, all went well - certificate worked. WordPress dashboard notified me prior to expiration that the cert will be auto-renewed. Within plugin’s page… "Let’s Encrypt Certificate

Here you can manage the actual certificate.
Your certificate was last generated on September 13, 2017 at 6:15 am."

So it seems the certificate was auto-renewed, but browsers show it as expired.

Additional info: Firefox displays: www.thewyoming.net uses an invalid security certificate. The certificate expired on September 18, 2017, 6:04 PM. The current time is September 18, 2017, 10:58 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE"

Similar message in Safari.

https://crt.sh/?q=www.thewyoming.net

you have obtained a new certificate

most likely reason is that apache needs a restart

Turns out the hosting company does not support auto-renew of certs (shared server). Did not know that, and did nothing with notice from Lets Encrypt of the upcoming renewal assuming certs renewal would be auto-renewed and server would be ok. So, how do I go about getting the new certs from Lets Encrypt (which have already been renewed by LE)?

Did you do anything to renew your certificate? If not, it probably was renewed by cPanel and the problem is that your host somehow didn’t install it. You would still need help from their support somehow, even if they didn’t anticipate this behavior, because the new certificate would have been saved somewhere in the filesystem by cPanel, even if it’s not actually being used by the server.

This can conceivably happen if cPanel doesn’t have the necessary permissions to reconfigure or restart the web server, although I’m not familiar with exactly how cPanel integrates with web servers.

Let’s Encrypt does not renew any certificates without an explicit request from some kind of user software, so there is nothing to download from Let’s Encrypt associated with your renewal. (To put it another way, if you don’t already have the necessary files or know where they are, neither does Let’s Encrypt. A partial exception is if your renewal was performed using the same public key as the old certificate, in which case you can get the new certificate from Certificate Transparency logs. It appears that that’s true in your situation, so you could get a copy of your new certificate at https://crt.sh/?d=209467080 and use it together with your existing private key.)

This is becoming very confusing! Installing the certs for the first time went smoothly - no problems. The host company stated they do not allow auto updates of certs on their shared servers, and I would have to do it manually. Ok, that’s the rub, how to. Since the cert auto renewed, as shown in WordPress plugin WP-Encrypt dashboard, I made no attempt to do anything because I thought the auto-renew was a hands free operation, well, not so much.

So just now, I updated the cert via cPanel, then I had two certs, the old and the new. Deleted the old, and made the new cert Primary. And, browsers are still throwing warning, and showing the cert expired Sept 18 (the old cert).

I also just noticed that via FTP in the “/letsencrypt/live/thewyoming.net” folder the cert, cahi, and fullchaim pem files have the last modified dates of Sept 13, which would coincide with the date shown in the WordPress plugin dashboard. That would seem to indicate the the cert was in fact renewed and placed on the server. And it is the new cert, but since I just updated it via cPanel, I would think the Last Modified date would be today, Sept 19.

Wow! Still confusing. However, got it to work. Apparently there is a two step procedure in cPanel. I will do a follow up when I redo my efforts on another domain name. I may not have had to install the new cert because according to the Last Modified date on the server, the cert was actually placed there automatically. But, the the process of making it the Primary cert may only be addressed; via cPanel, find the new cert, and make it Primary.

I let everyone know how I do on the next domain.

It's definitely supposed to be! It sounds from your experience like maybe cPanel's implementation could use a little more work.

Follow up: (Issue Resolved)

This relates to Lets Encrypt certificate,
WordPress Site using WP Encrypt plugin,
On a Shared Server that host company does not allow auto cert update,
Using cPanel.

Lets Encrypt (LE) sends out notification of upcoming cert expiration, WP-Encrypt plugin notifies user of this within WordPress main Dashboard. Keep in mind this scenario is relating to a host company that DOES NOT allow cert auto updates - you have to do it manually.

Even though LE sends the new cert (or the plugin retrieves it), it is on the server and the plugin recognizes it, BUT, the cert is NOT INSTALLED even though you can see the new cert via FTP on the server. Be sure to compare the Last Modified date with the one shown in the WP-Encrypt plugin dashboard.

Next, I needed to download the new cert.pem file to my computer, because cPanel did not see it (I assume this is part of the reason because it’s a shared server).

Now that cert.pem is on the computer, within cPanel I can easily upload it into the SSL/TLS | Certificates (CRT) page and use the “Choose a certificate file (*.crt)” link to upload the cert.pem file.

Now you will see the old cert and new cert listed on the “Certificates (CRT)” page. Under “Actions”, click on the Edit link for the new cert. You will see the new cert info listed. Now, you can click on the “Update Description” button, and hopefully you will get a success notification, OR if your cPanel displays Install for the new cert under Actions, you can simply click the install link and install the new cert.

That’s it - Yeah !!

You will still have the old cert listed along with the new cert - no problems. For housekeeping purposes you can delete the old cert.

Hope this helps anyone having similar hosting setup mentioned above.

Thanks for the writeup! I went ahead and edited the title on your post to reflect that the issue was resolved, and also to make it a bit more specific so anyone searching for similar issues in the future might be more likely to stumble across this thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.