0

I configured the letsencrypt certificate for my website which is hosted on centos 7 with httpd web server

On 12-07-22 I renewed the SSL certificate manually by using /usr/bin/certbot renew. Then checked the SSL validity on the SSL checker website. All is working fine and SSL validity shows as 89 days.

But when I check the SSL validity on 05-08-22 it shows only 2 days left. I don't know why the validity was reduced like this.

Then checked the certificate modification date and it still remains at the date 5-5-22 which is the previous certificate renewal of failed autorenewal attempt (i didn't check it while I renewed the SSL on 12-07-22).

Then manually executed the renew command again and checked all aspects. Now the certificate is working fine.

I want to know why the auto renew command executed perfectly and shows the validity as 89 days when I attempt to renew the certificate on 12-07-22. And why is it reduced when I check the certificate on 05-08-22 while there are 2 months left for validity?

webconfig file

<VirtualHost *:80>
  ServerName site.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =site.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
  ServerAdmin root@localhost
  ServerName site.com
   DocumentRoot /var/www/sitename
   DirectoryIndex index.html
   <Directory "/var/www/sitename">
        AllowOverride All
       Options -Indexes +FollowSymLinks
   </Directory>
   ErrorLog /var/log/httpd/error.log

   SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/site.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateChainFile /etc/letsencrypt/live/site.com/chain.pem
</VirtualHost>

Now I setup the cron to run to check the validity and renew the certificate for every 2 month

Can anyone please give me an idea of how this was happening?

jayaprakash R
  • 21
  • 1
  • 5
  • 4
    Most probably you didn't restart/reload the service after renewing the certificate and it still uses the old one. – Gerald Schneider Aug 12 '22 at 09:00
  • 2
    There is no way to say with such a vague description. The least you need to provide is the configuration of your webserver and your crontab entry for certbot. – Gerald Schneider Aug 12 '22 at 09:08
  • Descibe the exact process, how you checked the validity of certificates. I mean, whether you looked into through the browser, or run `openssl x509 -in file.crt -text` or whatever. – Nikita Kipriyanov Aug 12 '22 at 10:19
  • Dont bother about cron because i executed the commands manually in terminal to renew the certificate and included the webconfig file @GeraldSchneider – jayaprakash R Aug 12 '22 at 11:08
  • i checked the validity using the 'https://www.sslshopper.com/ssl-checker.html' site not using openssl @NikitaKipriyanov – jayaprakash R Aug 12 '22 at 11:09
  • Then provide the command line you used. The whole point is HOW it is renewed. – Gerald Schneider Aug 12 '22 at 11:29
  • Did you restart or reload the web server explicitly after the renew was done? – Nikita Kipriyanov Aug 12 '22 at 11:31
  • I already mentioned the command that i have executed @GeraldSchneider. Now i highlighted that command for your reference. Anyway am putting my commaand here also. the command i used is ```/usr/bin/certbot renew``` – jayaprakash R Aug 12 '22 at 11:32
  • No, i didn't restart the webserver. anyway, that sslchecker shows the validity at that time. And I searched in google and no one mentioned restart is mandatory and also i renewed for many website already. Its weird that this scenario happens for this website only @NikitaKipriyanov – jayaprakash R Aug 12 '22 at 11:36
  • 2
    This is the explanation. Notice it was already given in the fist comment. To load new certificate (so it will be seen by sslchecker or anyone who accesses the web server) you absolutely need to reload the web server. Your certificate was renewed, but not reloaded. Yes, the old certificate is still valid because certbot nicely provides some headroom to account for various transient renewal problems. – Nikita Kipriyanov Aug 12 '22 at 12:12
  • I accept your point but is it mandatory to reload the webserver? Then why the ssl checker shows me renewed validity? Why do these weird things happen at that time? – jayaprakash R Aug 12 '22 at 12:17
  • Reload is mandatory to put a new certificate file into use. Notice that the reload is graceful and doesn't result in any service downtime (as opposed to restart, which will result in some downtime). Don't hesitate to reload. If you are unsure if everything will go smoothly, do config validity check (`apachectl -t` AFAIR). // I don't understand which are "weird things" you are talking about. Everything you described looks pretty normal and expected to me. – Nikita Kipriyanov Aug 12 '22 at 12:33
  • okay got your point. I mentioned weird because the certificate was shown as renewed at that time but after 20 days it shows as 2 days. – jayaprakash R Aug 12 '22 at 13:40
  • "because the certificate was shown as renewed at that time but after 20 days it shows as 2 days" You are not showing any proof of that assertion. How did you check for "SSL" validity? There is nothing "weird" with certificates. – Patrick Mevzek Aug 16 '22 at 18:45

0 Answers0