Website says certificate has expired but certbot will not let me renew because it is still valid until next month

My website is giving me a security warning and stating that my cert expired on 3/12/20. I am trying to renew it with a dry run and even tried once without the dry run flag and am being told that I cannot renew as it expires on 4/17. When I run certbot certificates I see:

Found the following certs:
  Certificate Name: affinity-iot.com
    Domains: affinity-iot.com
    Expiry Date: 2020-04-17 11:46:27+00:00 (VALID: 34 days)
    Certificate Path: /etc/letsencrypt/live/affinity-iot.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/affinity-iot.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Any help is much appreciated!!

My domain is:
affinity-iot.com
I ran this command:
sudo certbot renew --dry-run

It produced this output:
Processing /etc/letsencrypt/renewal/affinity-iot.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/affinity-iot.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/affinity-iot.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
AWS running bitnami

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

1 Like

Hi @AndrewP,

Your new certificate exists on disk, but your web server isn’t using it. This might mean that your web server needs to be reloaded so that it checks for updated configuration files.

1 Like

Sounds like you just need to restart your web service to use the existing cert.

1 Like

Unlike the previous, currently installed certificate, the new certificate is missing the www subdomain.

@AndrewP Did you intentionally remove the www subdomain in January? Does your certbot certificates output more than just one certificate by any chance?

I think you’re correct, as the output of the dry run says it uses the installer “None”, so Apache isn’t reloaded automatically.

2 Likes

Hi, thank you for the reply and advice. I have restarted apache using
sudo /opt/bitnami/ctlscript.sh restart apache
But I am still getting the warning upon visiting my site. I am sure that leaving out the www in the subdomain back in January was a mistake. Would you suggest that I revoke the current certificate and start fresh with a new one? Do you recommend any other alternatives?

Thanks again.

1 Like

Revoking is only necessary when the private key is (possibly) leaked. If that’s not the case, then it isn’t necessary to revoke a certificate.

Also, I saw you are using Bitnami. With Bitnami, things are a little bit different than just running certbot. Please read https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/ for more info.

1 Like

Hi @AndrewP

that’s the wrong certificate. Your installed certificate - https://check-your-website.server-daten.de/?q=affinity-iot.com - has two domain names:

CN=affinity-iot.com
	13.12.2019
	12.03.2020
2 days expired	affinity-iot.com, www.affinity-iot.com - 2 entries

so that Bitnami-script may not use a certificate with one domain name.

So first step: Create one certificate with both domain names.

Then install that certificate. That doesn’t work with renew. Why isn`t your certificate with both domain names visible? Looks like you have deleted that certificate. So create a new.

1 Like