Cert renewed successfully, but date is wrong in Unifi

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: connect.irri.org

I ran this command: sudo certbot certificates

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: connect.irri.org
Domains: connect.irri.org
Expiry Date: 2025-05-14 23:40:05+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/connect.irri.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/connect.irri.org/privkey.pem

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS \n \l

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

Had similar case like Cert renewed, but date wrong posted, i usually restart my server or the service but this time it did not work,

from browser, here is the message showing its expired:

Common Name (CN) connect.irri.org
Organization (O)
Organizational Unit (OU)
Common Name (CN) R11
Organization (O) Let's Encrypt
Organizational Unit (OU)
Issued On Saturday, December 14, 2024 at 1:03:23 PM
Expires On Friday, March 14, 2025 at 1:03:22 PM
Certificate 74c8a4e85f43072fb610ff86399df2a12c7127d47f470acad412acf66bf6523e
Public Key 2872bfbc31d84e92295682e10291e427fb22b15869e64f30bf8ee7f8af14cb2c
2

it's your webserver not using renewed cert: where are you using it, as I cant access website from here?

2 Likes
3

its not open to the public for security, but i can open it for you, if you could send me your ip address.

We only open port 80 when renewing certificate.

since this is an old server, unable to use auto renew yet.

Thanks

4

What kind of server is using that cert? Apache, nginx, mail, other?

3 Likes
5

Honestly im not sure as it was installed along unifi installation, but top shows java.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1436 unifi 20 0 3714616 894408 23872 S 22.3 22.4 10:00.41 java
2005 unifi 20 0 17.098g 300448 232512 S 1.3 7.5 3:04.65 mongod
2232 ubuntu 20 0 92796 3308 2384 S 0.3 0.1 0:00.15 sshd
4286 ubuntu 20 0 40580 3828 3124 R 0.3 0.1 0:00.23 top
1 root 20 0 38208 6104 3932 S 0.0 0.2 0:02.36 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.12 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H

if this make sense, here's the version:
ubuntu@ip-10-10-20-99:~$ java -version

openjdk version "1.8.0_292"

OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~16.04.1-b10)

OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

Thank you

6

You probably did a manual step to import the cert files from Certbot into the Java store.

I am not a Java expert so can't advise further. We just see that fairly often so I am pretty confident that is what you need to do.

You must have done it back in Dec but forgot to do it when you got a fresh cert in Feb.

3 Likes
7

Thanks boss.

December was the first installation of letsencrypt using below command(history):
1473 sudo apt-get update
1474 sudo apt-get install letsencrypt
1475 sudo letsencrypt certonly
1476 sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh
1477 sudo chmod +x /usr/local/bin/unifi_ssl_import.sh
1478 cd /usr/local/bin
1479 sudo su
1480 exit
1481 sudo certbot renew
1482 sudo service unifi restart

I was based on this procedure:

It was successful but this is the first time to renew on this server, was tempted to repeat the command,

8

Please see Let's Encrypt on Ubiquiti's UniFi

3 Likes
9

Exactly those instructions or the page it linked to? Because that page says this about itself:

————– Or continue below…though it’s a total waste of time. ———-

The linked page has a section starting with below. Did you follow that?

Finally, run the script!

sudo /usr/local/bin/unifi_ssl_import.sh
If you now close your browser and then re-open it to https://[your UniFi FQDN]:8443, you should no longer have the security warnings, and you will have a valid HTTPS certificate installed. And no more pesky security warnings.

This is excellent – BUT – every time certbot automatically renews your Let’s Encrypt certificate, it has to be re-imported into UniFi. So we need to run this same command on a regular basis. To do so, we’re going to create a small script and put it into the /etc/cron.daily folder.

NOTE there is several more steps beyond that. I put the above just so you can find it on that page.

2 Likes
10

Hi MikeMcQ,

Im using an old installation of OS and unifi version which i had the same on another server with different FQDN with no problem at all.

I did follow those step as well as i did on the other server i mange, but this one give me that error.

Thanks Mike

11

Thanks Bruce5051,
Will check acme.sh

1 Like
12

Won't help. It will just get you cert files same as you already have. You need to find out why your Unifi isn't using them. Double-check the "import" step. That seems likely what has gone wrong.

You should ask Unifi support.

Maybe someone else here has personal experience with that and will offer help. But, Unifi support is a good place to try.

3 Likes
13

Thank you MikeMcQ, will further check again.

Cheers

1 Like
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.