Cert.pem, fullchain.pem, files will expire before my actual certificate expires

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
affinity-iot.com
I ran this command:
N/A
It produced this output:
N/A
My web server is (include version):
Apache/2.4.39 & Tomcat

The operating system my web server runs on is (include version):
Ubuntu Linux 16.04

My hosting provider, if applicable, is:
Running Bitnami Wordpress on an AWS vm

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

Apologies for the poorly worded title. The gist is that I want to be sure that I know when my files are expiring so that I can get the renewal process fully automated on this particular server. The cause of this issue is likely my own wrongdoing, when I erroneously generated too many certificates (https://check-your-website.server-daten.de/?q=affinity-iot.com#ct-logs).

On my site, affinity-iot.com, we have a tomcat servlet which requires a bundle.pfx file to bind on 8443 in order for customers to securely submit requests. I used the following as a reference to put this together: Using let's encrypt with tomcat

In the /live/domain directory, I see that the cert.pem, fullchain.pem, etc. are timestamped Nov 19, which means they are likely to expire on or around Feb 19. Bundle.pfx makes use of these files, and when they expire, our customers will see an expired cert warning on the site which I want to avoid. However, if you click on the padlock on the site, we are due to expire March 12. I want to be able to ensure that these files will expire in synch with the cert that my site is using for https. This way, I can get their renewals in one cron entry. I’d rather not have to worry about the key used for my servlet expiring in February and the key for the site expiring in March. Please let me know if I can provide any further information. I am rather new when it comes to the topic of SSL.

Thank you so much!

1 Like

Hi @AndrewP

there is no limit hitted. Checking your domain manual one of these certificates created 2019-12-13 is used.

So install the 2019-12-13 certificate to your port 8443.

1 Like

Hi @JuergenAuer,
Thank you for your reply. This is the same website that we have actually discussed before on another thread I created: Certificate did not renew but is not showing any errors.

I am curious, when executing this command to generate the bundle.pfx file, is it possible to specify which certificate I am using? Can I delete the files that were not created on 2019-12-13 and force 8443 to use this certificate? That is what I would like to try but I am curious to get your thoughts.
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:apassword

Thank you again so much for your help.

I don't understand your question.

Your command uses files - so change these files to work with another certificate.

1 Like

Hi @JuergenAuer,
Thank you for your reply. The privkey, cert and chain files specified are symlinks. They point to files in the archive directory but none are dated 2019-12-13.

-rw-r--r-- 1 root    tomcat  1915 Sep 20 00:53 cert1.pem
-rw-r--r-- 1 bitnami bitnami 1911 Nov 19 10:37 cert2.pem
-rw-r--r-- 1 root    tomcat  1647 Sep 20 00:53 chain1.pem
-rw-r--r-- 1 bitnami bitnami 1647 Nov 19 10:37 chain2.pem
-rw-r--r-- 1 root    tomcat  3562 Sep 20 00:53 fullchain1.pem
-rw-r--r-- 1 bitnami bitnami 3558 Nov 19 10:37 fullchain2.pem
-rw------- 1 root    tomcat  1708 Sep 20 00:53 privkey1.pem
-rw------- 1 bitnami bitnami 1704 Nov 19 10:37 privkey2.pem

Currently, the symlinks point to the Nov 19 files. Should I generate another new cert and point to those new files instead? I can do that but am not sure if it will fix my issue. I greatly appreciate your advice.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.