Updated certificates not recognized by browsers

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hds.addhaptics.com

I ran this command: certbot-auto certonly

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/hds.addhaptics.com-0002/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/hds.addhaptics.com-0002/privkey.pem
    Your cert will expire on 2019-11-05. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

My web server is (include version): apache2
Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 18 2018 15:36:26
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no, commandline

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
/etc/letsencrypt/bin# ./certbot-auto certonly
Upgrading certbot-auto 0.34.0 to 0.37.0…
Replacing certbot-auto…

I just renewed my server certificate and I can see it has been updated on your site:

I have tried 3 browsers (Safari, IE, Chrome) across 2 geographies (I’m in Switzerland and colleagues in Canada) but all are showing that the certificate is still expired. This is not a site that we use regularly so it should not be cached by our browsers but we tried clearing the cache anyway but the certificate still comes up as expired.

Any ideas on what the issue could be ? Our software application depends on pinging this web server to start so until this is fixed, we are stuck.

Hi @greanie

you use certonly. Did you restart your Apache? That’s required to use the new certificate.

1 Like

Hi @JuergenAuer

Thank you for the input.

Is the certificate cached by Apache? I expect that that is managed through server settings, I’ll have to check again how I set it up, it has been a while.

I did wait a few hours yesterday before writing my post but the problem resolved itself overnight. I typically use certonly but it has been a while since I read the manual on the specifics of what that means. I guess I need to read it again. In the past, once I renewed the certificate, the update was almost instant at the browser, and our application, was almost instant. But perhaps I did renew the server and don’t remember now.

Thanks for the input !! I’ll remember next time that I need to restart the web server to be sure that it uses the updated server.

1 Like

Yes. So if certbot changes the file, normally, the new version isn’t used.

Perhaps there was a restart. Or a long time of inactivity, so Apache loaded the certificate again.

According to > apachectl status:

Server uptime: 93 days 21 hours 22 minutes 59 seconds

Just curious, what’s a long time of inactivity ? There definitely isn’t much traffic to this server.

1 Like

If you originally installed this particular certificate using certbot run (which is the default if you don’t specify certonly) and you used either --apache or -i apache, then Certbot will reload Apache automatically for you after renewing the certificate.

Otherwise, it won’t, and a manual Apache reload is required. The existence of the new certificate on your hard drive doesn’t mean that your web service is automatically aware of it; Apache normally caches the certificate and key indefinitely until it’s restarted or reloaded, which is part of the explicit design of the Apache web server (the Apache developers thought that the system administrator should be in charge of the timing of the decision to switch over to new versions of the Apache configuration environment, including new certificates or keys).

That is one reason that we recommend not using certonly unless you have a specific reason to do so. certbot --nginx or certbot --apache will usually give a better experience because Certbot can manage the installation in the web server application for you.

The -0002 also suggests that you’ve created some overlapping certificates, so you might also want to check that Apache is using the certificate that you renewed, as opposed to a different version (looking at your Apache configuration and seeing if the HTTPS-related objects it refers to are in /etc/letsencrypt/live/hds.addhaptics.com-0002 as opposed to some other directory). You can see all of your Certbot-managed certificates and their coverage and expiration status by running

certbot certificates

(Since you use certbot-auto, you can replace all of the certbot commands in my post with their corresponding certbot-auto equivalents, e.g. certbot-auto certificates.)

Hi Schoen,

Thank you for all the input! In the future, I will use the --apache option when executing the certbot script. I will also look into the possible overlapping certificates and clean them up if there are any.

Not sure how the certificate was reloaded by Apache as I didn’t reload it and the uptime was 53 days but it is working now.

Thanks to everyone for their help !!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.