Can I renew an expired certificate?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ssl.trainingservices.bim.ie (172.16.60.100)

I ran this command:

It produced this output:

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): Windows Server 2012 R2 Standard

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’ve recently taken over support of an internal web server on which the ssl certificate had recently expired. I’m also new to Let’s Encrypt certification.

Is it possible to renew/reactivate an expired certificate?

If so can you point me in the direction of any tutorials/instructions for doing so.

If not, what are my options to generate a new certificate for this address space?

Regards,
Paul.


#2

Yes, you can renew an expired cert. The process is identical to renewing a cert that isn’t expired.


#3

Hi @polobryn

there are a lot of old certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:ssl.trainingservices.bim.ie&lu=cert_search

How did you create one of these?

You have an unusual configuration - Windows 2012 R2 with Apache. So the typical Apache clients can’t work.

Start there:


#4

There are normally three possible methods for proving your control over the domain so that a certificate can be issued (four if you count the deprecated tls-sni-01 method), but since this domain points at a private address space, only one of those methods can work, and that is the dns-01 method. So you’ll want to look through the list of Windows clients for one that supports that method, and follow its instructions. I have no experience with the Windows clients so I can’t recommend any specific one, sorry.


#5

I didn’t create them, my predecessor did. Unfortunately there was no handover or documentation for tasks he performed so I’m working through the process as best I can from scratch. And yes, it is an unusual configuration :slight_smile:


#6

The CT logs don’t appear to indicate that a scheduled task was in use to automate the renewals.
That said, I would still look there first (TaskScheduler) to understand what the systems does and on what schedule.

Even without any documentation, you should be able to find which programs are installed that relate to certificate issuance.
From there you can either learn that program or replace it with one you already learned and like.


#7

It’s of course also possible that the previous person used one of the web based clients in which case there wouldn’t be any software on the server itself (and that would also explain why it didn’t renew automatically).


#8

There doesn’t appear to be any scheduled tasks for updating the certificate but I have made progress, to the point that I am getting the DNS TXT Record but don’t have access to our DNS server! I’m hoping our IT partners will help me out and either give me access or add the record for me so I can try to progress the situation.

Thanks again for all your advice. It’s baby steps but at least I’m making some progress with the process :slight_smile: