Cert appears ok, but browser gives insecure connection warning


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
https://stage.uhero.hawaii.edu/ (not publically accessible)
I ran this command:

It produced this output:

My web server is (include version):
nginx/1.12.1
The operating system my web server runs on is (include version):
RHEL6
My hosting provider, if applicable, is:
Self, on a vm managed within university IT services
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’ll try to keep this brief and to the point: I’m sure this cert was working correctly at one time. Thankfully it is for a staging server, not production, thus not really important, but I guess I need to know why it’s breaking:

$ sudo ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: stage.uhero.hawaii.edu
Domains: stage.uhero.hawaii.edu stage-api.uhero.hawaii.edu stage-data.uhero.hawaii.edu
Expiry Date: 2019-01-21 00:49:15+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/stage.uhero.hawaii.edu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stage.uhero.hawaii.edu/privkey.pem


also

$ sudo ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/stage.uhero.hawaii.edu.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/stage.uhero.hawaii.edu/fullchain.pem expires on 2019-01-21 (skipped)
No renewals were attempted.


IOW, everything looks ok. But when I go to the site in Firefox or Chrome, I get the standard Your connection is not secure warning. Note that this server is behind firewalls and you won’t be able to access it from outside. Hope that’s not really necessary to get help. If you’re wondering how I did the original cert install and renewals, I have a script that pokes open the firewall before doing cronned renewal task, and then closes it again. I believe the script is working correctly, but I don’t think that’s relevant to my problem. Can someone help? Thanks.


#2

Hi,

Since we can’t visit the site, do you mind to share us a screenshot of the error message?

Thank you


#3

And perhaps on the RHEL server:

grep -R ssl_certificate /etc/nginx

and from a machine that experiences the insecure connection:

openssl s_client -connect stage.uhero.hawaii.edu:443 -servername stage.uhero.hawaii.edu -showcerts | openssl x509 -noout -text

#4

Thanks for the quick responses! I don’t really think a screenshot will help, however the fact that you asked for it is good, because it does contain important info that I forgot to provide! The reported error is Error code: SEC_ERROR_EXPIRED_CERTIFICATE, and if you open that up, you see:

https://stage.uhero.hawaii.edu/

Peer’s Certificate has expired.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIGUTCCBTmgAwIBAgISAyNV8veqTa69NxA+ZooaPJb+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MjUwMDM4MzNaFw0x
ODEwMjMwMDM4MzNaMCExHzAdBgNVBAMTFnN0YWdlLnVoZXJvLmhhd2FpaS5lZHUw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5FePs7FI/QfwZWd8v38tq
LM4y/ppl3U6+cyoBCsjyeCjiupQakGuWtLOB8HsT7SMHCTkuhSm6JLqitbBoV/lJ
EJmovN88T3LfFuxA3Tcpc5WGgu7QjRO+OSdLCOKmTvEP/cA5CO5JGNFgcGtGRloX
2WqozFENrdLwyFviksMjdjqOu0tJFaKhZaIL2FB8FImWin7sgnXRzO/80iwYQmmA
/HWKkK35OdUf/WRIDbCFfOdcCKP1h2x45EsFT/7rq3JXmx82U0tUifWUK6+hiXro
bUoN7yHFTlCWkktQiXEEXQRBE4zCdwYYJxAqntIeNfYSEZIw6UxQZh/48ovZ3Hmn
AgMBAAGjggNYMIIDVDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHOUjdwwhzofnBXr
ZQZuEdJdaGNaMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wWgYDVR0RBFMwUYIac3RhZ2UtYXBpLnVoZXJvLmhhd2FpaS5l
ZHWCG3N0YWdlLWRhdGEudWhlcm8uaGF3YWlpLmVkdYIWc3RhZ2UudWhlcm8uaGF3
YWlpLmVkdTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEw
gdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggr
BgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVk
IHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ug
d2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0
c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDx
AHYA23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yfv2QAAAFkzxZ3RwAABAMA
RzBFAiEAjs7hjn5HWL2ywoBqYNIVC5p8PHq1gtN/AxF60CJNRhACIGJGLYU09r3A
rVeWCRhEpmssZW/ZeyJSPCKdy0LMQKkRAHcApFASaQVaFVReYhGrN7wQP2KuVXak
XksXFEU+GyIQaiUAAAFkzxZ3RgAABAMASDBGAiEA7Xpv+5alpJrSwTW1oQwNx3BL
i4WGue6C9KCfSGkFbvACIQDrwrfwFwFKf25g7vQXKiEvl5jX8+Ys0J8HwkP6Kfoo
RzANBgkqhkiG9w0BAQsFAAOCAQEAYZWXsD3x0WTJ9XbmN6a/y3FgHzDTOHsvv7rP
OLxk32iHDUsLD9vmVcueQIUi2zZl+62XqK4lnel4av19oS4LxZLtdL0UvUF0G/qN
uGoUIRNxHVxhdRycUzdF9Ra4Vp0sSvw+3uBCQYqe1aQuCewSWxmsLDiZ1bqo4mi2
uGlpargmqsOrQaIE9U7akIKuy8pWf6pISl7I1RLaJwPOzHfgq5+PB1w7d/CllSui
WGjxqoUtiTimL2T/KQiCeNRB5/O2UT+JLBGKLoDGhWtPb42lrXbKeD0/KuWVfoCW
9NVf4a/6m1nS+ZCGAxzk16orqKYR2G8Ziuf8S6d5T7kRLsVywA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

also

$ sudo grep -R ssl_certificate /etc/nginx
/etc/nginx/nginx.conf.default: # ssl_certificate cert.pem;
/etc/nginx/nginx.conf.default: # ssl_certificate_key cert.key;
/etc/nginx/nginx.conf: ssl_certificate /etc/letsencrypt/live/stage.uhero.hawaii.edu/fullchain.pem; # managed by Certbot
/etc/nginx/nginx.conf: ssl_certificate_key /etc/letsencrypt/live/stage.uhero.hawaii.edu/privkey.pem; # managed by Certbot
/etc/nginx/nginx.conf: ssl_certificate /etc/letsencrypt/live/stage.uhero.hawaii.edu/fullchain.pem; # managed by Certbot
/etc/nginx/nginx.conf: ssl_certificate_key /etc/letsencrypt/live/stage.uhero.hawaii.edu/privkey.pem; # managed by Certbot

and

$ openssl s_client -connect stage.uhero.hawaii.edu:443 -servername stage.uhero.hawaii.edu -showcerts | openssl x509 -noout -text
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = stage.uhero.hawaii.edu
verify error:num=10:certificate has expired
notAfter=Oct 23 00:38:33 2018 GMT
verify return:1
depth=0 CN = stage.uhero.hawaii.edu
notAfter=Oct 23 00:38:33 2018 GMT
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:23:55:f2:f7:aa:4d:ae:bd:37:10:3e:66:8a:1a:3c:96:fe
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Jul 25 00:38:33 2018 GMT
Not After : Oct 23 00:38:33 2018 GMT
Subject: CN=stage.uhero.hawaii.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:15:e3:ec:ec:52:3f:41:fc:19:59:df:2f:df:
cb:6a:2c:ce:32:fe:9a:65:dd:4e:be:73:2a:01:0a:
c8:f2:78:28:e2:ba:94:1a:90:6b:96:b4:b3:81:f0:
7b:13:ed:23:07:09:39:2e:85:29:ba:24:ba:a2:b5:
b0:68:57:f9:49:10:99:a8:bc:df:3c:4f:72:df:16:
ec:40:dd:37:29:73:95:86:82:ee:d0:8d:13:be:39:
27:4b:08:e2:a6:4e:f1:0f:fd:c0:39:08:ee:49:18:
d1:60:70:6b:46:46:5a:17:d9:6a:a8:cc:51:0d:ad:
d2:f0:c8:5b:e2:92:c3:23:76:3a:8e:bb:4b:49:15:
a2:a1:65:a2:0b:d8:50:7c:14:89:96:8a:7e:ec:82:
75:d1:cc:ef:fc:d2:2c:18:42:69:80:fc:75:8a:90:
ad:f9:39:d5:1f:fd:64:48:0d:b0:85:7c:e7:5c:08:
a3:f5:87:6c:78:e4:4b:05:4f:fe:eb:ab:72:57:9b:
1f:36:53:4b:54:89:f5:94:2b:af:a1:89:7a:e8:6d:
4a:0d:ef:21:c5:4e:50:96:92:4b:50:89:71:04:5d:
04:41:13:8c:c2:77:06:18:27:10:2a:9e:d2:1e:35:
f6:12:11:92:30:e9:4c:50:66:1f:f8:f2:8b:d9:dc:
79:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
73:94:8D:DC:30:87:3A:1F:9C:15:EB:65:06:6E:11:D2:5D:68:63:5A
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access: 
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name: 
            DNS:stage-api.uhero.hawaii.edu, DNS:stage-data.uhero.hawaii.edu, DNS:stage.uhero.hawaii.edu
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                            AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                Timestamp : Jul 25 01:38:33.415 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:8E:CE:E1:8E:7E:47:58:BD:B2:C2:80:
                            6A:60:D2:15:0B:9A:7C:3C:7A:B5:82:D3:7F:03:11:7A:
                            D0:22:4D:46:10:02:20:62:46:2D:85:34:F6:BD:C0:AD:
                            57:96:09:18:44:A6:6B:2C:65:6F:D9:7B:22:52:3C:22:
                            9D:CB:42:CC:40:A9:11
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : A4:50:12:69:05:5A:15:54:5E:62:11:AB:37:BC:10:3F:
                            62:AE:55:76:A4:5E:4B:17:14:45:3E:1B:22:10:6A:25
                Timestamp : Jul 25 01:38:33.414 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:46:02:21:00:ED:7A:6F:FB:96:A5:A4:9A:D2:C1:35:
                            B5:A1:0C:0D:C7:70:4B:8B:85:86:B9:EE:82:F4:A0:9F:
                            48:69:05:6E:F0:02:21:00:EB:C2:B7:F0:17:01:4A:7F:
                            6E:60:EE:F4:17:2A:21:2F:97:98:D7:F3:E6:2C:D0:9F:
                            07:C2:43:FA:29:FA:28:47
Signature Algorithm: sha256WithRSAEncryption
     61:95:97:b0:3d:f1:d1:64:c9:f5:76:e6:37:a6:bf:cb:71:60:
     1f:30:d3:38:7b:2f:bf:ba:cf:38:bc:64:df:68:87:0d:4b:0b:
     0f:db:e6:55:cb:9e:40:85:22:db:36:65:fb:ad:97:a8:ae:25:
     9d:e9:78:6a:fd:7d:a1:2e:0b:c5:92:ed:74:bd:14:bd:41:74:
     1b:fa:8d:b8:6a:14:21:13:71:1d:5c:61:75:1c:9c:53:37:45:
     f5:16:b8:56:9d:2c:4a:fc:3e:de:e0:42:41:8a:9e:d5:a4:2e:
     09:ec:12:5b:19:ac:2c:38:99:d5:ba:a8:e2:68:b6:b8:69:69:
     6a:b8:26:aa:c3:ab:41:a2:04:f5:4e:da:90:82:ae:cb:ca:56:
     7f:aa:48:4a:5e:c8:d5:12:da:27:03:ce:cc:77:e0:ab:9f:8f:
     07:5c:3b:77:f0:a5:95:2b:a2:58:68:f1:aa:85:2d:89:38:a6:
     2f:64:ff:29:08:82:78:d4:41:e7:f3:b6:51:3f:89:2c:11:8a:
     2e:80:c6:85:6b:4f:6f:8d:a5:ad:76:ca:78:3d:3f:2a:e5:95:
     7e:80:96:f4:d5:5f:e1:af:fa:9b:59:d2:f9:90:86:03:1c:e4:
     d7:aa:2b:a8:a6:11:d8:6f:19:8a:e7:fc:4b:a7:79:4f:b9:11:
     2e:c5:72:c0

#5

That’s weird.

nginx -t
service nginx reload

#6

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Geh. Restarting nginx fixed it. Sorry for the trouble. Shoulda thought of that.


#7

If your /etc/letsencrypt/renewal/*.conf file has installer = nginx, it should have reloaded nginx for you.


#8

I have authenticator = nginx, but not installer. Any reason I should think twice before adding that (and to my production server as well)?


#9

The one reason I see to be cautious is:

This comment is left by the Certbot nginx installer, which indicates that you used to use the nginx installer, but at some point stopped.

I don’t know the history of your server, so I can’t say why it ended up this way, but it should be safe to re-add the installer.


#10

I did use the nginx installer originally, and don’t recall ever deciding to do things differently. The one thing I can remember is (I think) I rearranged some of the whitespace around installer-generated lines in the conf to make it look nicer. Maybe best to avoid cosmetics lol