Please fill out the fields below so we can help you better.
I ran this command:sudo letsencrypt renew
It produced this output:The following certs are not due for renewal yet:
/etc/letsencrypt/live/.com/fullchain.pem (skipped)
No renewals were attempted.
My operating system is (include version): Ubuntu 16.10.1
My web server is (include version): Apache2
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no - direct ssh
I can’t for the life of me figure out why the renewal attempt says certs are not due for renewal but ssllabs clearly shows certs expired over a month ago. I’ve confirmed that there is only a single folder in my /etc/letsencrypt/live folder and it has the expected cert, chain, fullchain and privkey.
Guess I should have clarified in my first post. Apache has been reloaded. I’ve even rebooted the server. There are no other certs on this server as it’s a brand new server setup and I’m trying to register the cert for the new server.
Yeah this one is seriously stumping me. It’s a new server that I’m moving an existing domain to. The domain was successfully registered on a different server but simply didn’t have the resources I needed so installed a new server and tried to get certs setup.
The last modified date of the cert file is today (Feb 22). The /etc/letsencrypt/live/mydomain.com/ folder has links that point to an archive folder for each of the 4 files. The archive folder path is /etc/letsencrypt/archive/mydomain.com/ and inside this archive folder, I can find all 4 of the expected files. They also have a modified date of today (Feb 22).
Apache config file has the following…(these are the only entries for certs and there is no other virtual host setup)
Everything I look at tells me this should be working.
I thought maybe it was related to HSTS so I removed the domain from my browsers HSTS and restarted the server and still getting the same thing. Since I am seeing expired certs through various browsers as well as Ssllabs, my assumptions is that the certs are in fact expired and there is something broken with the letsencrypt renew process.
I checked with the guys running network security and they apparently forgot to make the appropriate changes on the Sophos UTM. They use Sophos as a WAF and it serves as the proxy. When certs renew, they also need to renew the cert loaded to Sophos. They forgot to do this even though I checked and confirmed before doing all this.
Not sure how that would have resolved anything since you would have seen exactly what I was seeing…an expired cert warning. But in any case, this was very helpful. Thanks for walking through this.