Website url "lock" does not reflect updated certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
allcountyguitar.com

I ran this command:

sudo ./certbot-auto certonly --debug

It produced this output:
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): allcountyguitar.com
Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/allcountyguitar.com-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/allcountyguitar.com-0001/privkey.pem
    Your cert will expire on 2020-10-27.
    My web server is (include version):
    Server version: Apache/2.4.43 (Amazon)
    Server built: May 14 2020 18:12:28

The operating system my web server runs on is (include version):
NAME=“Amazon Linux AMI”
VERSION=“2018.03”

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
bash

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version

bash: certbot: command not found

Problem Statement:
Upon renewing from by bash cmd window I get message that the new expiration date for the renewed certificate will be 10/27/2020, however checking the “lock” icon (waiting an hour after recert) it maintains the old expiration date: Friday, August 14, 2020

1 Like

Hi @kiteandwindsurfer

your command uses certonly. Did you restart your webserver?

2 Likes

Yes, restarted web server
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

No change to date of recert

thank you for your response!

best,
Brain

1 Like

Hi @kiteandwindsurfer,

This part is the problem. You can see that Certbot said it was “creating a new certificate” and it saved it in a different place (/etc/letsencrypt/live/allcountyguitar.com-0001 instead of /etc/letsencrypt/live/allcountyguitar.com). Your web server application has not been configured to use this new path, so it doesn’t notice this certificate.

The reason for this behavior by Certbot is that your old certificate covers both allcountyguitar.com and another domain, enetapplication.com. But when you asked for the new certificate, you didn’t mention the second domain, so Certbot concluded that you must want a new, separate certificate that only covers allcountyguitar.com without enetapplication.com. It then went ahead and got that certificate, saving it in a new location that your web server application doesn’t know anything about.

I would suggest deleting this unused new certificate with certbot delete, unless you specifically wanted enetapplication.com to no longer be covered by a certificate. After that, you can use the normally-recommended certbot renew to renew your existing certificate.

certbot renew has various advantages over certbot certonly for a renewal:

  • It only tries to renew certificates that are less than one month from expiry, so it’s safe to run it very frequently (we recommend twice per day)
  • It uses your existing certificates on disk to decide which domain names and file locations to use, without changing anything
  • It tries to renew any Certbot-created certificates on your system that are in need of a renewal, in one single invocation of the Certbot command
2 Likes

that is fantastic - thank you so much and kind of realized that this was a quality organization when I joined and now see that in fact it is what I thought, careful and responsive thanks to the membership

thanks again, will proceed from here
best,
Brian

1 Like

(fyi) when originally installing I used:

wget https://dl.eff.org/certbot-auto

Please point me to what I need to do to delete /etc/letsencrypt/live/allcountyguitar.com-0001
I have tried:

#sudo certbot delete
sudo: certbot: command not found

When creating the certificates I follow these steps:

  1. #sudo ./certbot-auto certonly --debug
  2. Select option #1: 1: Apache Web Server plugin (apache)
  3. Type in domain name
  4. Restart httpd

Once deleted I would to avail myself of this:

To non-interactively renew all of your certificates, run “certbot-auto renew”

…but get the same “command not found” message

Again, many thanks in advance!

best,
Brian

1 Like

certbot and certbot-auto are synonyms depending on the way you installed Certbot on your particular system. So for both commands you should use ./certbot-auto instead of certbot in the command.

1 Like

thank you, this worked for all my certs:

sudo ./certbot-auto renew --debug

It still tries:

Processing /etc/letsencrypt/renewal/allcountyguitar.com-0001.conf


Cert not yet due for renewal

I need to clean up others that threw errors but all domains were processed, and the domain allcountyguitar.com “lock” is now showing the renewed expiration date!

thanks again for the support

best,
Brian

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.