Why does my certificate have one expiration date yet LE says a different one?

My domain is: follett.oneidacsd.org

I am running Ubuntu 18.04.1 with Nginx reverse proxy to two different sites on different webservers.

If I load the url in a web browser and check the certificate it says the certificate will expire on the 9/26 yet if I try to run certbot on the reverse proxy it tells me it expires on 11/25 so it doesnt need to be renewed.

I must be getting mixing something up here somehow.

certificate

Hi @eatyourpeas747

you have two active certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:follett.oneidacsd.org&lu=cert_search

But the wrong (older) certificate is installed.

Did you restart your nginx?

You have a certbot on the reverse proxy. Is there a second certbot on one of your webservers?

There are other certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:oneidacsd.org;issuer_uid:4428624498008853827&lu=cert_search

But no other certificate created 27.08.2018.

I do not have certbot on any of the webservers. Only on the reverse proxy.

What should I do with it at this point? And no I havent restarted nginx. I can later in the day if necessary.

First restart your nginx. If the certificate is renewed, but nginx doesn't use it, that's the error.

that did the trick. What did I do wrong to cause that issue?

1 Like

A restart is required that the new certificate is used.

You may add a --post-hook - command:

https://certbot.eff.org/docs/using.html#certbot-commands

--post-hook POST_HOOK
Command to be run in a shell after attempting to
obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If
multiple renewed certificates have identical post-
hooks, only one will be run.

Sample:

certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

You don't need the --pre-hook - part.

Additional there is a --deploy-hook - parameter. But if you use and renew only one certificate, you can use post-hook or deploy-hook.

I wouldn’t recommend this, @JuergenAuer. This will restart nginx every time Certbot runs, even if it doesn’t renew a certificate. Additionally, you don’t need to restart Nginx, you can just reload it. This prevents the brief downtime during a renewal.

It would be better to just use --deploy-hook "service nginx reload"

Am I doing something wrong? Or am I just skipping a recommended step?

Nginx needs to be reloaded or restarted before it will use the new certificate. It only reads the configuration – including certificates – when starting or when reloaded.

If you use certbot --nginx, Certbot will automatically take care of that; otherwise, you have to use a hook, or manually reload Nginx some time before the old certificate expires.

so should I just follow the suggestion here https://gist.github.com/wintermeyer/400fe8cc0aaf75d21e46349527f7bdfd and edit my /et/cron.d/certbot file to the following?

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew --renew-hook “service nginx reload”

also my current cron looks like:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.