(Solved) Certificate Not Working

Help
1

My domain is: tricitiesmediagroup.com

I ran this command: “certbot renew --apache” which said there were no certificates needing renewal and then I ran “certbot certonly --force-renew -d tricitiesmediagroup.com” and it appeared to have successfully force renewed the certificate.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Issue: My website, tricitiesmeidagroup.com, is still displaying an old certificate and causing https not to work even after attempting to force renew it. Any ideas? Thank you in advance!

2

There have been a number of certificates issued recently:

https://crt.sh/?Identity=%tricitiesmediagroup.com&exclude=expired

(Note that they’re listed twice for Certificate Transparency $reasons, but still.)

Certbot’s certonly command issues a certificate, but Apache needs to be reloaded or restarted in order to use it.

Does it help if you run “sudo apache2ctl graceful”?

It’s unrelated, but do you know why a certificate is being issued once a month? It’s typical for Certbot to renew certificates every 60 days, not every 30. How was Certbot installed? How is it configured to renew certificates? What timers or cron jobs are set up?

1 Like
3

Hi @mackenly

that's

a bad configuration. --force-renew renewes the certificate, but without installing / restarting the server the new isn't used. Now you have hitted the limit:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-09-30 2019-12-30 tricitiesmediagroup.com, www.tricitiesmediagroup.com
2 entries duplicate nr. 5 next Letsencrypt certificate: 2019-10-03 05:04:34
Let's Encrypt Authority X3 2019-09-29 2019-12-28 tricitiesmediagroup.com, www.tricitiesmediagroup.com
2 entries duplicate nr. 4
Let's Encrypt Authority X3 2019-09-29 2019-12-28 plesk.tricitiesmediagroup.com
1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-09-29 2019-12-28 tricitiesmediagroup.com, www.tricitiesmediagroup.com
2 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-09-29 2019-12-28 tricitiesmediagroup.com, www.tricitiesmediagroup.com
2 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-09-26 2019-12-25 tricitiesmediagroup.com, www.tricitiesmediagroup.com
2 entries duplicate nr. 1

It's simple the incomplete command. Your https + www shows the old certificate, your https + non-www has a timeout.

What says

apachectl -S
1 Like
4

@JuergenAuer After running that command I get this:

Capture8615
Capture8615771×273 3.35 KB

@mnordhoff After running:

It doesn't appear to do anything. Or at least nothing is shown in the terminal, so I assume it did something becuase there wasn't an error.

5

I'm not sure @mnordhoff . I'm using the one-click WordPress install on the Digital Ocean Marketplace without any modifications to anything. As for crons I'd assume just what comes default for Certbot 0.26.1.

I have made several tries to renew the certificate within the past few days so that's probably why it has reached the quota @JuergenAuer. When does the limit reset or do I need it to?

6

I ran:
$ sudo service apache2 restart
but it didn't change anything so I restarted the whole server which also didn't change anything.

7

Now you use the correct and new certificate - https://check-your-website.server-daten.de/?q=tricitiesmediagroup.com

The certificate

CN=tricitiesmediagroup.com
	01.10.2019
	30.12.2019
expires in 90 days	tricitiesmediagroup.com, 
www.tricitiesmediagroup.com - 2 entries

has both domain names and is new, created today.

Both connections

Domainname Http-Status redirect Sec. G
http://tricitiesmediagroup.com/
167.71.173.96 No GZip used - 348 / 420 - 82,86 % possible 200 Html is minified: 102,69 % 0.220 H
http://www.tricitiesmediagroup.com/
167.71.173.96 No GZip used - 348 / 420 - 82,86 % possible 200 Html is minified: 102,69 % 0.217 H
https://tricitiesmediagroup.com/
167.71.173.96 301 https://www.tricitiesmediagroup.com/ 3.150 B
https://www.tricitiesmediagroup.com/
167.71.173.96 GZip used - 11674 / 51997 - 77,55 % Inline-JavaScript (∑/total): 14/11644 Inline-CSS (∑/total): 3/551 200 Html is minified: 156,59 % 2.796 B

are working, there is no certificate error visible.

PS: Only thing: You may add a redirect http -> https. Check the output of the online tool, there is a rewrite.

1 Like
8

Awesome, I just checked and it’s all fixed! Thank you, @JuergenAuer and @mnordhoff

1 Like
9

How did you install Certbot? If you’re using the apt package, there’s a systemd timer that runs twice a day, renewing certificates when necessary. (There may also be a disarmed cron job.)

The fact that your certificate is getting renewed twice as often as normal suggests that something is off – maybe you have two certificates, or maybe there’s a second timer or cron job that’s running a different command to forcibly renew them.

What’s the output of “sudo certbot certificates”?

What do the configuration file(s) in /etc/letsencrypt/renewal/ contain?

Certbot can be configured to automatically gracefully reload Apache after renewing certificates. If you use certbot --apache without certonly when creating the certificate, Certbot will configure Apache to use it, and will also automatically reload Apache when renewing. You can also set up a deploy hook to do so, for example by using the --deploy-hook command line option when initially creating the certificate, or by putting a script in /etc/letsencrypt/renewal-hooks/deploy/.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.