Cert not yet due for renewal … but it's expired

Maxim Yefremov asked:

I am trying to renew a wildcard let's encrypt certificate.

/usr/local/bin/certbot renew


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sub.myDomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/sub.myDomain.com/fullchain.pem expires on 2019-08-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It responds that Cert not yet due for renewal.
But actually it has expired:

echo | openssl s_client -connect sub.myDomain.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 11 15:32:13 2019 GMT
notAfter=Jun  9 15:32:13 2019 GMT

How do I renew it?
Here is how I created that certificate:

certbot certonly \
          --dns-google \
          --email [email protected] \
          --agree-tos \
          -d *.sub.myDomain.com

My answer:


Your system renewed its certificate last month, but the web server never restarted or reloaded to actually start using it.

To fix the problem, reload/restart the web server.

You can also supply the appropriate command to reload your web server as a --deploy-hook to your certbot renew command.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.