Cert appears to be renewed, but browsers return ERR_CERT_DATE_INVALID

geoffschultz · June 17, 2021, 5:23pm

My domain is: nodejs.freshstartfurniturebank.org and I use port 3000

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/nodejs.freshstartfurniturebank.org.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/fullchain.pem expires on 2021-08-16 (skipped)
No renewals were attempted.

If I check the status of the SSL certificate using online checkers, they report that it doesn't expire for 60 days. (aka 8/16/2021)

This has been running fine until today and now browsers report: net::ERR_CERT_DATE_INVALID

When I look at the Security tab in the browser and inspect the certificate, it shows that it expires today (6/17/2021).

Rebooting didn't help.

What am I doing wrong/missing? (Please note that I'm the "IT guy" for a small non-profit & not a professional software engineer).

My web server is (include version): Apache/2.4.38 (Raspbian)

The operating system my web server runs on is (include version): raspbian 10

My hosting provider, if applicable, is: raspberry pi

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Rip · June 17, 2021, 5:36pm

Hi @geoffschultz and welcome to the community!

At first glance, I can access your site.

And a picture is worth a thousand words!
No problems from where I sit.
FIRST ... I'd look at flushing the browser(s) cache(s) and recheck for the error.

griffin · June 17, 2021, 6:02pm

Welcome to the Let's Encrypt Community, Geoff

You can see the full certificate history for nodejs.freshstartfurniturebank.org here:

https://crt.sh/?q=nodejs.freshstartfurniturebank.org

Note that every other certificate in that list is a precertificate, so there have actually only been three certificates issued for nodejs.freshstartfurniturebank.org.

So nodejs.freshstartfurniturebank.org:3000 is serving this certificate:

It's also worth noting that nodejs.freshstartfurniturebank.org:3000 is presently returning 404 as its index page.

On the other hand, nodejs.freshstartfurniturebank.org:443 is serving this certificate:

I would suggest starting with reloading your Apache webserver, clearing your cache, then trying again.

sudo apachectl -k graceful

If that doesn't help, please show the output of:

sudo certbot certificates

geoffschultz · June 17, 2021, 6:29pm

The server is only for socket.io and there is no web server. Here's a URL that returns an error:

https://nodejs.freshstartfurniturebank.org:3000/socket.io/?EIO=4&transport=polling&t=NeQ-C1J

I cleared the browser cache and rebooted the server and then did:

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: nodejs.freshstartfurniturebank.org
Domains: nodejs.freshstartfurniturebank.org
Expiry Date: 2021-08-16 23:18:19+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/privkey.pem

griffin · June 17, 2021, 6:53pm

The software associated with port 3000 might be configured to serve an old certificate in /etc/letsencrypt/archive/nodejs.freshstartfurniturebank.org rather than the newest certificate (/etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/fullchain.pem).

rg305 · June 17, 2021, 7:48pm

What software handles port 3000?

It is still using this cert:

geoffschultz · June 17, 2021, 10:13pm

The software that runs is a server that I wrote in nodejs using socket.io. I must admit that configuring the SSL certificate was extremely confusing to me, and I probably screwed something up. Here's the code to initialize it:

const cors = require('cors');
const fs = require('fs');
const { isNull } = require('util');

const options = {
key: fs.readFileSync('privkey.pem'),
cert: fs.readFileSync('fullchain.pem')
};

var app = require('express')();

var server = require('https').createServer(options, app);

As I was writing this, I realized that it's reading a local (old) copy of privkey.pem and fullchain.pem, which I changed to read from /etc/letsencrypt/live/nodejs.freshstartfurniturebank.org and all seems well. Is this the correct approach?

Thank you very much for your help!

griffin · June 17, 2021, 10:16pm

You've got it right, my friend!

system · July 17, 2021, 10:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot renew says: Cert not yet due for renewal. Firefox says:cert expired Server	3	2184	August 9, 2018
NET::ERR_CERT_DATE_INVALID after manual renewal Server	7	12401	March 31, 2017
Renew fail. expire date in broser is wrong Help	10	1958	May 18, 2018
Why am I not yet due for renewal - yet it's expired? Help	9	1859	March 27, 2021
Renewed SSL certificate, but browsers and SSLlabs show old expiry date? Help	4	2289	February 8, 2018

Cert appears to be renewed, but browsers return ERR_CERT_DATE_INVALID

Related topics