Website says certificate has expired but certbot will not let me renew because it is still valid until next month

AndrewP · March 13, 2020, 5:14pm

My website is giving me a security warning and stating that my cert expired on 3/12/20. I am trying to renew it with a dry run and even tried once without the dry run flag and am being told that I cannot renew as it expires on 4/17. When I run certbot certificates I see:

Found the following certs:
  Certificate Name: affinity-iot.com
    Domains: affinity-iot.com
    Expiry Date: 2020-04-17 11:46:27+00:00 (VALID: 34 days)
    Certificate Path: /etc/letsencrypt/live/affinity-iot.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/affinity-iot.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Any help is much appreciated!!

My domain is:
affinity-iot.com
I ran this command:
sudo certbot renew --dry-run

It produced this output:
Processing /etc/letsencrypt/renewal/affinity-iot.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/affinity-iot.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/affinity-iot.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
AWS running bitnami

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

schoen · March 13, 2020, 5:17pm

Hi @AndrewP,

Your new certificate exists on disk, but your web server isn’t using it. This might mean that your web server needs to be reloaded so that it checks for updated configuration files.

rg305 · March 13, 2020, 5:17pm

Sounds like you just need to restart your web service to use the existing cert.

Osiris · March 13, 2020, 5:19pm

Unlike the previous, currently installed certificate, the new certificate is missing the www subdomain.

@AndrewP Did you intentionally remove the www subdomain in January? Does your certbot certificates output more than just one certificate by any chance?

I think you're correct, as the output of the dry run says it uses the installer "None", so Apache isn't reloaded automatically.

AndrewP · March 14, 2020, 4:06pm

Hi, thank you for the reply and advice. I have restarted apache using
sudo /opt/bitnami/ctlscript.sh restart apache
But I am still getting the warning upon visiting my site. I am sure that leaving out the www in the subdomain back in January was a mistake. Would you suggest that I revoke the current certificate and start fresh with a new one? Do you recommend any other alternatives?

Thanks again.

Osiris · March 14, 2020, 4:08pm

Revoking is only necessary when the private key is (possibly) leaked. If that’s not the case, then it isn’t necessary to revoke a certificate.

Also, I saw you are using Bitnami. With Bitnami, things are a little bit different than just running certbot. Please read https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/ for more info.

JuergenAuer · March 14, 2020, 4:15pm

Hi @AndrewP

that's the wrong certificate. Your installed certificate - https://check-your-website.server-daten.de/?q=affinity-iot.com - has two domain names:

CN=affinity-iot.com
	13.12.2019
	12.03.2020
2 days expired	affinity-iot.com, www.affinity-iot.com - 2 entries

so that Bitnami-script may not use a certificate with one domain name.

So first step: Create one certificate with both domain names.

https://certbot.eff.org/docs/using.html

Then install that certificate. That doesn't work with renew. Why isn`t your certificate with both domain names visible? Looks like you have deleted that certificate. So create a new.

system · April 13, 2020, 4:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate renew issue Help	11	3044	March 9, 2019
Impossible renew? Help	6	3208	October 10, 2017
Cert not auto renewing Help	3	941	January 18, 2020
Certbot renew --dry-run Help	3	90255	May 2, 2017
Renew --dry-run Help	5	4705	September 9, 2023

Website says certificate has expired but certbot will not let me renew because it is still valid until next month

Related topics