Cert not yet due for renewal ... but it's expired

Question

I am trying to renew a wildcard let's encrypt certificate.

/usr/local/bin/certbot renew


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sub.myDomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/sub.myDomain.com/fullchain.pem expires on 2019-08-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It responds that Cert not yet due for renewal. But actually it has expired:

echo | openssl s_client -connect sub.myDomain.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 11 15:32:13 2019 GMT
notAfter=Jun  9 15:32:13 2019 GMT

How do I renew it? Here is how I created that certificate:

certbot certonly \
          --dns-google \
          --email myEmail@gmail.com \
          --agree-tos \
          -d *.sub.myDomain.com

no it wasn’t, it’s docker container, I’ll try to restart it — Maxim Yefremov, Jun 10 '19 at 07:03
@Sven you are right, reloading nginx helped me, so the correct way to renew is: `/usr/local/bin/certbot renew --post-hook '/usr/sbin/nginx -s reload'` — Maxim Yefremov, Jun 10 '19 at 12:17

score 6 · Answer 1 · answered Jun 10 '19 at 14:40

Your system renewed its certificate last month, but the web server never restarted or reloaded to actually start using it.

To fix the problem, reload/restart the web server.

You can also supply the appropriate command to reload your web server as a --deploy-hook to your certbot renew command.

Cert not yet due for renewal ... but it's expired

1 Answers1