Browser shows cert expired but server shows it as valid

Help
1

My domain is:
hudu.mull-it.com

I ran these commands:
certbot certificates
ls -l /etc/letsencrypt/renewal/
reboot

It produced this output:

image
image1087×426 71.4 KB

My web server is (include version):
server: nginx/1.16.1

The operating system my web server runs on is (include version):
Ubuntu Server 22.04.1 LTS

My hosting provider, if applicable, is:
Vultr

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.21.0

More backstory: I attempted to change from regular automatic certbot renewals in November to manual renewal using DNS validation. The goal was to restrict ports 80 and 443 on our firewall to just our office IP. I manually renewed the cert on 1/23/23, but it never showed as updated in the browser.

2

Hello @mullit, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issued certificates crt.sh | hudu.mull-it.com, the latest being 2023-01-23.

However the certificate being served is not that one and it is expired.

https://www.ssllabs.com/ssltest/analyze.html?d=hudu.mull-it.com

$ openssl s_client -showcerts -servername hudu.mull-it.com -connect hudu.mull-it.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = hudu.mull-it.com
verify error:num=10:certificate has expired
notAfter=Jan 31 01:08:57 2023 GMT
verify return:1
depth=0 CN = hudu.mull-it.com
notAfter=Jan 31 01:08:57 2023 GMT
verify return:1
---
Certificate chain
 0 s:CN = hudu.mull-it.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  2 01:08:58 2022 GMT; NotAfter: Jan 31 01:08:57 2023 GMT
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgISAyhBm4wJdGEqfLps4k5Ra00AMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjExMDIwMTA4NThaFw0yMzAxMzEwMTA4NTdaMBsxGTAXBgNVBAMT
EGh1ZHUubXVsbC1pdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQDOvCXN+FwkjhgOVtBAUxEcUuA5mQNj9SDp8WRnoPMn8uNM8bf4u4mP0mE/upfx
Hbrc2kFuePYMt5lmn7NQHjD9M+kFOSvO4PmHEdYriZU8kZnNqu0uVRR8l4HV7Su1
CLRDfmKrX9rs+Q2pC13BnxiZ5+sS3lCYaHuJmdQxN6lUPxr2jcRVUoC1OwO6FGW7
OEc4Al8sfXj1ROCQloTnxNCR6SqiGNMOfLn5Ml3gxU2M6ATllEDPfq5lyX+asD2L
KppunlpeX3dD3p5+h/YTRPdgs6KmlGxt1xx6unFfI8LkgOVwRRMvlZDs8XSYZ1GW
txYFkJf79D5rCHVdglNR32HL91WA1Dsei1blOlh502u11RtwsCoKesJEMzMf+INV
DA824NN3A4PLr5wISGRYrvFTc6lrIPvmhHJLsbt3NOK76iopuYmr3TpbCMHD33hh
a8fZpPLhPW7/50zdUrsOxYBkq+S0TKFhehjoMnG0c6JoGWXH8Nims+NX90ZeK7Kq
T8aZRWRe/qLDZLRsLI+c0zfsxPih0w77O661u+nm2Me2RDJugbgG1MX2F7skhGEE
CcUhP8/k8pVPeV4GpWt2pbtrKQzC1f+1UPsfmOJqIWEzjUacwD1ruWL0gsEV5DdZ
qJ5ykL1hanQLdPKAVvoeu4c0JVQn6rA94oVNhBLRzamyxwIDAQABo4ICSzCCAkcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR15xgLwXNN1Mf3DsxXXex+cy1icDAfBgNV
HSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYI
KwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0
cDovL3IzLmkubGVuY3Iub3JnLzAbBgNVHREEFDASghBodWR1Lm11bGwtaXQuY29t
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB
9QSB8gDwAHcAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGENhlL
DQAABAMASDBGAiEA6pssJJTYub5n2m1LvBEE76LRRuQITnR58+hPrjcwg/4CIQCA
diBS/307ZLYUHijgqsLSaeCGgDE6WqLqNmPIGL0sRgB1AK33vvp8/xDIi509nB4+
GGq0Zyldz7EMJMqFhjTr3IKKAAABhDYZTRcAAAQDAEYwRAIgDFGZyt1yXmKiTgey
pymdnFstAsJGzEEf/qF2mngKaR0CIDaz3OESJKfmUELlK3DNTvPlCK+XNHGdI+VF
fcIgp5fJMA0GCSqGSIb3DQEBCwUAA4IBAQB5TGclFLsScJypTuEaJ00ENZdWeUki
SIe79nAqShzIY2Ua8hlPTboyrg10LxXj/g/grD2CpZLcWCGZu/ojgJF9PmZM71BL
ceNB1uS5ag0+llkFihIufElaBaMU2l9Sdhhxp2vyfaY5eLkzIgbgC0RFOLtdmjIF
SSF3fZ9pof8tbbqfQJ+M3FBJOdXypfKoFGjKgn8rBwBQ+liMC89uiDE5f+RHNh/7
vLq66gLHD/thna02B3MO5JNgdEjJEq24Aw/cMAw0zYeLufJKXCm9qjgP1VdKh+J8
rx+TJTvEXFhy+tZCKIs6jE3iYyEJN3DSVEBYMSqA474jL1mdT5ClZi4I
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = hudu.mull-it.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5090 bytes and written 398 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
DONE
1 Like
3

Would seem to be Server: nginx/1.16.1

$ curl -Ii http://hudu.mull-it.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.1
Date: Tue, 31 Jan 2023 17:30:26 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://hudu.mull-it.com/

$ curl -k -Ii https://hudu.mull-it.com/
HTTP/2 200
server: nginx/1.16.1
date: Tue, 31 Jan 2023 17:30:36 GMT
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
cache-control: no-cache, no-store
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
1 Like
4

Please show the output of:
sudo nginx -T | grep -i ssl

2 Likes
5

So the certificate was issued, did you install the certificate?
Did your afterwards restart nginx or reboot Ubuntu?

1 Like
6

Seems like there is more to the problem [than a reboot can correct].

2 Likes
7

Good point pint! :slight_smile: :beers:

3 Likes
8

You spelled pint wrong! LOL
:beer:

4 Likes
9

We need two things:

  • see which cert [files] nginx is using
    [sudo nginx -T | grep -i ssl]

  • see what certs are being managed by certbot
    [certbot certificates]

4 Likes
10

image
image1101×423 42.1 KB

So Hudu is running inside of a docker instance. Would that mean the cert renewal is inside of docker and not inside of the Ubuntu server?

1 Like
11

It means the nginx is running inside a docker instance [not where you ran that command].
It seems like you might have certbot installed in more than one place.

4 Likes
15

Welp we figured it out. It was running inside of docker, and fixed it with this guide:

Thanks for the quick replies. You all are an awesome community.

1 Like
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.