my certificate has been expired and I tried renewing it, but that doesn’t work for me.
Using Ubuntu and Apache2.
I used
sudo letsencrypt renew
The output was:
[...]
The following certs were successfully renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (success)
[...]
new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/mydomain.com/fullchain.pem
[...]
The I restartet my apache using:
sudo service apache2 restart
But I still get an error and the old certificate, which has expired 2 days ago. “The certificate expired on February the 15th 2017…” (sec_error_expired_certificate).
I double checked the pathes to the pem-files in the config files (/etc/letsencrypt/renewel/mydomain.com.conf and apaches/sites-enabled/mydomain.conf). The pathes are correct.
If I use
sudo ls -l
in the live-directory alle the pem-files have the correct date (February 17th).
Setting up a new certificate still works. Just renewing does not work.
If you did a ls -l, you also saw that the files in the live directory are symbolic links pointing to certificates in the /archive/ directory. Could you check that dir as well? Especially of course the files the symlinks in live are pointing at
Wow, thank you very much! The symbolic links were wrong.
The archive-folders were pretty messed up:
First: Somehow in archive/ were mydomain.com and mydomain.com-0001
The files in /live/ were linked to the 0001 folder. The date of the *.pem-files within the -0001 folder were from November.
Second: In the mydomain.com folder (not 0001) the *.pem-files were double: cert1.pem and cert2.pem (etc.). And only the *2.pem-files were the newly build ones.
I have no idea how or why this got messy like that.
My solution was simple and fest: Just fix the symbolic links:
// Remove the old symbolic link
sudo -rm /etc/letsencrypt/live/mydomain.com/privkey.pem
// Create the new sb
sudo ln -s /etc/letsencrypt/archive/mydomain.com/privkey2.pem /etc/letsencrypt/live/mydomain.com/privkey.pem
Thank you so much Osiris for your help! That saved me a lot of time
That sometimes happens if you add another FQDN to an existing certificate without the --expand switch.
That's normal behaviour. certbot will leave the existing (old) cert/keys in the archive (hence the name "archive" ;)) and create new keys/certificates with n+1 where n is the number of the current certificate when renewing.
But I'm glad you fixed it! You should check your renewal file in /etc/letsencrypt/renewal/ to see if the locations at the top point to the correct folder. I see you don't want to use the -0001 folder, so the renewal file should reflect that. But as you say the newest certificates are currently situated in the folder without the -0001 part, I recon the renewal file will reflect that as well.