SSL certificate renewed but browsers not updating with new certificate

I have little to no experience in setting this stuff up so I answered the following as best I can.
From what I can tell, my SSL certificates are auto-renewing but browsers are not updating with the new certificates. I need help figuring out how to force browsers to get the new certificates.

My domain is: vestasit.com

I ran this command: sudo certbot certificates

It produced this output:
Found the following certs:
Certificate Name: vestasit.com
Domains: vestasit.com www.vestasit.com
Expiry Date: 2020-09-17 00:02:08+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/vestasit.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vestasit.com/privkey.pem

My web server is (include version): One-Click OpenLiteSpeed WordPress Server (I thinkā€¦?)

The operating system my web server runs on is (include version): LiteSpeed (donā€™t know the version)

My hosting provider, if applicable, is: Google Cloud Platform

I can login to a root shell on my machine (yes or no, or I donā€™t know): I can SSH into it (so I think yes)

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot): certbot 0.31.0

Thank you!

Hi @icykoala,

Did you restart or reload your LiteSpeed instance after renewing? Most web server applications donā€™t monitor for certificate file changes on disk, so they have to be told when those files have changed.

1 Like

I thought I had added a line in the crontab that would restart the server after renewing but it didnā€™t work. So I changed it a few days ago but it still hasnā€™t updated on browsers. Iā€™m just not sure how to automate the server restart.

When I sudo crontab -e I added this line (about 3 months ago) which I got from https://onepagezen.com/letsencrypt-auto-renew-certbot-apache/#step4:
45 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew && /etc/init.d/apache2 restart

I assumed that the ā€œ&& /etc/init.d/apache2 restartā€ would restart the server but I guess it didnā€™t.

A few days ago I changed the above line to:
45 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew && --deploy-hook "/usr/local/lsws/bin/lswsctrl restart"

But it still hasnā€™t updated on browsers. I just have no idea how to automate a server restart.

The && separates distinct shell commands, but --deploy-hook is an option to ./certbot-auto here so it doesn't belong in its own command. (You can't just run --deploy-hook by itself on the command line, which is effectively what this crontab entry is trying to do.) The corrected version would be

45 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew --deploy-hook "/usr/local/lsws/bin/lswsctrl restart"

This is more likely to work. :slight_smile:

Also, note that certbot renew only attempts to renew certificates that are less than 30 days from expiry. Therefore, it can be run quite frequently in most configurations without causing any harm. Your command above tries to run it only once per week, but we normally suggest running it twice per day. It won't try actually to renew your certificates twice per day unless there is some other kind of misconfiguration that causes all of the renewals to fail.

1 Like

Thank you so much, schoen! I will update my crontab with the corrected version.

How do you know itā€™s only checking for renewals once per week and how do I get it to check twice per day?

The crontab fields are minute, hour, day, month, day of week, command. That

45 ā† minute
2 ā† hour
* ā† day
* ā† month
6 ā† day of week

So your time specification means "at 2:45 a.m. every Saturday".

What we've normally used is something more like

0 */12 * * *

which means "every twelve hours" (though we normally also combine that with some kind of randomized sleep command so that not everyone in the world tries to renew at the exact same minute!).

Youā€™ve been so helpful schoen, thank you so much!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.