Certbot do not extend expired cert, says it is valid

Hi team,

In general issue:
cerbot is executed, but cert is not updated, you can see from output, date output last…

My domain is: lpic.lt ip.lpic.lt

I ran this command and it produce this output:
lpic@vps533441:~$ openssl x509 -noout -text -in /home/lpic/letsencrypt/etc/live/lpic.lt/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:65:23:38:29:33:b8:20:a2:35:a8:14:f5:6f:91:ad:8c:a3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Validity
Not Before: Feb 2 21:01:24 2019 GMT
Not After : May 3 21:01:24 2019 GMT
Subject: CN = lpic.lt
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:73:a0:52:a2:f8:88:39:55:6e:6f:98:86:64:
b9:50:a7:72:98:29:b5:81:0b:01:c0:56:c7:f1:26:
9e:6b:6c:52:5e:e4:44:2b:37:6e:83:f6:83:77:0f:
ab:50:6d:6d:b6:d2:c6:2a:8c:49:66:83:41:c5:1b:
9f:0f:2b:e6:9f:23:99:b8:00:96:35:5a:7e:97:13:
e0:3f:17:de:4a:0a:20:d8:e1:b4:8b:41:fd:4f:7b:
41:a3:bf:9a:a4:7e:ef:f4:c4:84:40:bd:cd:b3:9e:
bd:b9:76:db:65:c4:a7:50:77:fc:ec:a9:05:e8:9b:
d4:e5:e6:bd:f0:81:f4:f2:55:51:d8:58:b0:29:76:
e4:91:73:c1:fc:fd:bc:85:e7:79:d2:b6:88:21:49:
c4:67:69:70:2c:7d:86:ef:4a:2d:4e:7d:70:89:12:
8e:33:de:10:ca:06:b2:22:46:46:41:06:26:13:e0:
42:7e:e0:a3:5b:c2:f0:84:40:b1:ce:ba:ad:1e:4a:
24:3f:c4:8d:0d:78:22:7e:1e:19:40:72:40:40:dd:
93:6a:94:57:76:61:a1:71:f7:1b:68:16:f3:b7:95:
cc:5e:a2:fa:4b:cf:d5:31:20:c9:ca:5b:cf:fa:cb:
b9:6e:27:1f:c1:63:55:9c:24:ab:b4:e9:cc:83:b8:
95:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
24:5D:F1:84:95:12:C8:75:58:3D:D6:E0:D8:C9:7F:E0:E0:4F:43:14
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:ip.lpic.lt, DNS:lpic.lt, DNS:wallabag.lpic.lt
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Feb  2 22:01:24.193 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:7D:A1:90:DE:DA:38:29:70:23:00:5F:0F:
                                5A:91:8D:F1:1B:8E:3D:A4:73:F5:01:8B:E0:79:10:DE:
                                8D:94:0D:BF:02:21:00:A1:98:85:F0:A3:AF:86:D6:B7:
                                19:39:09:0F:D3:16:8A:15:07:51:2B:A2:47:8B:CF:16:
                                51:BF:F2:6B:62:10:B6
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Feb  2 22:01:24.269 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:B2:D0:D7:6E:B0:DA:54:E3:29:91:49:
                                01:88:26:65:18:87:1C:6C:D6:5C:BC:7C:22:E5:77:1D:
                                E0:D2:89:44:EA:02:20:0D:55:84:F1:69:0B:D4:4D:34:
                                9A:16:B6:EA:A6:9F:61:C9:43:C0:A2:43:D5:8B:AB:1F:
                                B7:BB:0E:40:E4:8C:E3
    Signature Algorithm: sha256WithRSAEncryption
         8c:1a:3a:d3:98:41:ec:cd:e3:3b:12:38:72:77:ff:53:b4:15:
         73:bd:b1:54:b4:95:66:15:16:13:a5:1f:5e:6a:c2:d8:18:e6:
         de:41:13:95:cc:d7:74:36:9d:27:fb:09:3c:f6:8f:b3:cf:34:
         47:85:e6:12:c2:cd:07:49:75:15:a3:2b:10:0a:99:8b:47:81:
         b8:55:48:b1:18:f1:99:d5:09:7b:48:13:b0:93:ec:8c:a2:07:
         4c:3c:07:87:f5:ba:c4:69:66:8f:dd:48:0e:12:85:bf:38:cb:
         4a:22:18:e3:ec:31:3f:eb:4f:2a:d3:42:d1:94:11:ef:b4:07:
         f8:81:f2:fe:93:a5:96:dc:40:a1:29:4e:a4:0d:56:4d:89:06:
         8a:09:c9:29:53:cf:a1:ff:5b:42:37:07:38:ed:3a:b5:c2:1d:
         21:65:02:7f:f2:27:09:66:58:5b:7d:e9:49:28:71:58:71:4f:
         20:26:22:11:7f:49:c3:97:05:0e:04:9d:5b:ab:bd:e9:03:8e:
         3f:a3:a2:b4:5d:97:d5:7c:97:d0:fc:f6:09:52:5e:b0:bb:d5:
         47:a5:51:57:e9:89:d9:9d:99:89:44:e4:34:66:b5:30:3d:5c:
         53:b2:c5:c4:7e:b3:cf:d9:ef:5b:f0:87:c6:e5:86:2f:7b:0a:
         b4:b9:fb:01
lpic@vps533441:~$ cat /home/lpic/letsencrypt/logs/certbot_renew.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /home/lpic/letsencrypt/etc/renewal/lpic.lt.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /home/lpic/letsencrypt/etc/live/lpic.lt/fullchain.pem expires on 2019-05-03 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lpic@vps533441:~$ date
Thu Mar  7 00:26:02 EET 2019
lpic@vps533441:~$

My web server is (include version): nginx 1.10.3-1+deb9u2

The operating system my web server runs on is (include version): Deb 9.8

My hosting provider, if applicable, is: OVH?

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

What's the problem? Both show the same expiry date, 2 months from now.

Hi @qw3r3wq

your domain uses an expired certificate:

CN=lpic.lt
	04.12.2018
	04.03.2019
2 days expired	ip.lpic.lt, lpic.lt, wallabag.lpic.lt - 3 entries

Your config isn't good, you have ipv6 - addresses, but your ipv6 have timeouts ( https://check-your-website.server-daten.de/?q=lpic.lt ).

But you have a valid certificate. To install your certificate: Try

certbot -d ip.lpic.lt -d lpic.lt -d wallabag.lpic.lt

then Certbot should find the new certificate and ask, if you want to reinstall it.

Creating a new certificate will not work, you have to fix your ipv6 timeouts.

Domainname Http-Status redirect Sec. G
http://lpic.lt/
51.254.39.221 301 https://lpic.lt/ 0.040 A
http://www.lpic.lt/
51.254.39.221 301 https://www.lpic.lt/ 0.040 A
http://lpic.lt/
2001:41d0:401:3200::1a16 -14 10.026 T
Timeout - The operation has timed out
http://www.lpic.lt/
2001:41d0:401:3200::1a16 -14 10.026 T
Timeout - The operation has timed out
https://www.lpic.lt/
51.254.39.221 301 https://lpic.lt/ 5.833 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://lpic.lt/
51.254.39.221 200 6.203 N
Certificate error: RemoteCertificateChainErrors
https://lpic.lt/
2001:41d0:401:3200::1a16 -14 10.027 T
Timeout - The operation has timed out
https://www.lpic.lt/
2001:41d0:401:3200::1a16 -14 10.027 T
Timeout - The operation has timed out
http://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
51.254.39.221 301 https://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.040 A
Visible Content: 301 Moved Permanently nginx
http://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
51.254.39.221 301 https://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 A
Visible Content: 301 Moved Permanently nginx
http://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:401:3200::1a16 -14 10.027 T
Timeout - The operation has timed out
Visible Content:
http://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:401:3200::1a16 -14 10.024 T
Timeout - The operation has timed out
Visible Content:
https://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out
Visible Content:
https://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out
Visible Content:

Thank you,
sorry, yes my fault, I am a bit sleepy now, but Thank you for noticeing IPv6 issue, I will double check that.

I did: systemctl rstart nginx and it works, I am not letting certbot to reload web, as it runs as different user then site and php…

_az and JuergenAuer > most missleading was May 3 (this night I read it as 5th of March :smiley: :smiley: :smiley: ) stupid me… My head was translating it to my language :slight_smile:

Thank you for help!

Yep, now your non-www version is secure.

CN=lpic.lt
	02.02.2019
	03.05.2019
expires in 57 days	ip.lpic.lt, lpic.lt, wallabag.lpic.lt - 3 entries

But you have a DNS entry with your www - version, the certificate doesn't have this domain name -> so your www version isn't good.

hm, I think I have *.lpic.lt CNAME to lpic.lt… But it is a good idea to add at least www to cert (does anyone still use it?)

A CNAME is a DNS entry. That has no effect to your certificate.

If your certificate has only lpic.lt and a user uses www.lpic.lt, then the user has a warning message.

Some users add never www. Some users add www every time.

So if the domain is a main domain (not a subdomain), it's always good to have

  • two dns entries www + non-www
  • two http hosts (or one http host with both domain names)
  • one certificate with both domain names and two https hosts (or one with both)
  • correct redirects http -> https and https + not preferred -> https + preferred version

So all users use https and see the same url.

And it's country specific. In Germany, most domains use the www version.

1 Like

To expand on this distinction:

  • the web browser uses the content of the CNAME (and/or A or AAAA) DNS record to figure out what server to connect to,
  • but the web browser uses the name typed by the user to figure out whether the certificate returned by that server is valid or not

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.