Still old certificate after using renwe

Hello,

my certificate has been expired and I tried renewing it, but that doesn’t work for me.
Using Ubuntu and Apache2.

I used

sudo letsencrypt renew

The output was:

[...]
The following certs were successfully renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (success)
[...]
new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/mydomain.com/fullchain.pem
[...]

The I restartet my apache using:

sudo service apache2 restart

But I still get an error and the old certificate, which has expired 2 days ago. “The certificate expired on February the 15th 2017…” (sec_error_expired_certificate).

I double checked the pathes to the pem-files in the config files (/etc/letsencrypt/renewel/mydomain.com.conf and apaches/sites-enabled/mydomain.conf). The pathes are correct.
If I use

sudo ls -l

in the live-directory alle the pem-files have the correct date (February 17th).

Setting up a new certificate still works. Just renewing does not work.

Any suggestions that might fix the problem?

Thank you!
regards
hansrouge

If you did a ls -l, you also saw that the files in the live directory are symbolic links pointing to certificates in the /archive/ directory. Could you check that dir as well? Especially of course the files the symlinks in live are pointing at :wink:

Wow, thank you very much! The symbolic links were wrong.

The archive-folders were pretty messed up:
First: Somehow in archive/ were mydomain.com and mydomain.com-0001
The files in /live/ were linked to the 0001 folder. The date of the *.pem-files within the -0001 folder were from November.

Second: In the mydomain.com folder (not 0001) the *.pem-files were double: cert1.pem and cert2.pem (etc.). And only the *2.pem-files were the newly build ones.

I have no idea how or why this got messy like that.
My solution was simple and fest: Just fix the symbolic links:

// Remove the old symbolic link
sudo -rm /etc/letsencrypt/live/mydomain.com/privkey.pem
// Create the new sb
sudo ln -s /etc/letsencrypt/archive/mydomain.com/privkey2.pem /etc/letsencrypt/live/mydomain.com/privkey.pem

Thank you so much Osiris for your help! That saved me a lot of time :blush:

Kind regards
hansrouge

2 Likes

That sometimes happens if you add another FQDN to an existing certificate without the --expand switch.

That's normal behaviour. certbot will leave the existing (old) cert/keys in the archive (hence the name "archive" ;)) and create new keys/certificates with n+1 where n is the number of the current certificate when renewing.

But I'm glad you fixed it! You should check your renewal file in /etc/letsencrypt/renewal/ to see if the locations at the top point to the correct folder. I see you don't want to use the -0001 folder, so the renewal file should reflect that. But as you say the newest certificates are currently situated in the folder without the -0001 part, I recon the renewal file will reflect that as well.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.