Cert valid however showing as expired to public Internet

Running Ubuntu 22.04 LTS

Server name is globus-dtn1.bioscience-ct.net

certbot certificates produces the following output:


Found the following certs:
Certificate Name: globus-dtn1.bioscience-ct.net
Serial Number: 370acb95b7d802e44a5e8742adba242c53d
Key Type: RSA
Domains: globus-dtn1.bioscience-ct.net
Expiry Date: 2023-06-06 19:39:45+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/globus-dtn1.bioscience-ct.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/globus-dtn1.bioscience-ct.net/privkey.pem


cert check from the public Internet shows that cert expired on 2/20/2023

subject=CN = globus-dtn1.bioscience-ct.net
93280156
issuer=C = US, O = Let's Encrypt, CN = R3
8d33f237
notBefore=Nov 22 17:24:54 2022 GMT
notAfter=Feb 20 17:24:53 2023 GMT

Appreciate any help you can provide

That domain shows a server of "gunicorn". I am not familiar but did you restart it after getting a new cert? Often servers need a refresh after.

Certbot can do that with apache and nginx but other servers might need a --deploy-hook or other kind of refresh/restart

3 Likes

I restarted services and even rebooted the server

Check your SSL config in gunicorn and see what cert files it references. The certs are just files and gunicorn is using some cert file you got previously.

Did you make a copy of the prior cert for gunicorn maybe?

Sorry, I don't know it well enough to say more. Maybe someone else will

3 Likes

I have no clue what you are referring to when you state "gunicorn"

This is a globus connect dtn server that I installed letsencrypt on for ssl compliance.

An HTTP request shows Apache

curl -I http://globus-dtn1.bioscience-ct.net
HTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)

But, an HTTPS request says different (and a 404 for some odd reason). Do you have some sort of firewall doing HTTPS inspection or something like that

curl -Ik https://globus-dtn1.bioscience-ct.net
HTTP/1.1 404 NOT FOUND
Server: gunicorn
4 Likes

Issue resolved... for globus users you need to issue the oidc update command specifying the paths to the letsencrypt to the updated certs

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.