Hi. I’m running a site on my Banana Pi at home (similar to a Raspberry Pi) and have used certbot for some time.
Yesterday I upgraded to v0.31.0 (later versions not compatible with Python pip in this version of debian - 7.9 - hopefully not relevant here). Although certbot reports I have a certificate and does not need renewing, Google Chrome still shows the site as not secure.
Strangely, when I look on https://check-your-website.server-daten.de/?q=pilling.me.uk Section 8 shows the certificate as expired, yet in Section 9 “Last Certificates - Certificate Transparency Log Check” there is a certificate valid until 2019-09-25 19:13:15.
Apologies if I’m missing something obvious, and thanks in advance for any help.
My domain is: www.pilling.me.uk
I ran this command: sudo /home/luke/bin/certbot-auto renew --no-self-upgrade
It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.pilling.me.uk/fullchain.pem expires on 2019-09-25 (skipped)
No renewals were attempted.
My web server is (include version): Apache/2.2.22 (Debian)
The operating system my web server runs on is (include version): Debian 7.9
I can login to a root shell on my machine (yes or no, or I don’t know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0
Ah, restarting apache did the trick… thank you! Does one need to do this after every renewal (I didn’t have to previously) or is it because the previous certificate became invalid until I updated?
Contents of renewal file, if still relevant:
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/www.pilling.me.uk
cert = /etc/letsencrypt/live/www.pilling.me.uk/cert.pem
privkey = /etc/letsencrypt/live/www.pilling.me.uk/privkey.pem
chain = /etc/letsencrypt/live/www.pilling.me.uk/chain.pem
fullchain = /etc/letsencrypt/live/www.pilling.me.uk/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = apache
account = 9ef50315e8ea0fd7c4f1e23fad99b64c
server = https://acme-v02.api.letsencrypt.org/directory
It shouldn't be necessary to add a post-hook for restarting Apache, since @lpilling is using the Apache authenticator:
That should automatically reload the Apache config after renewal. I'm not sure why it didn't. @lpilling if you'd like to look through your certbot logs for the renewal run, they might have a clue. Maybe the attempt to reload Apache failed? Logs are in /var/log/letsencrypt/. There will probably be many logs; you'll want to look for one that closely matches the notBefore date on your current certificate. It will probably also be longer than others.
That renewal file shows that it’s using the apache authenticator, but doesn’t show any installer. Maybe the certificate was created with “certbot certonly --apache”. In which case Apache won’t be reloaded after the certificate is renewed (though it will be reloaded before it’s renewed as part of the validation process).