Certbot do not extend expired cert, says it is valid

#1

Hi team,

In general issue:
cerbot is executed, but cert is not updated, you can see from output, date output last…

My domain is: lpic.lt ip.lpic.lt

I ran this command and it produce this output:
lpic@vps533441:~$ openssl x509 -noout -text -in /home/lpic/letsencrypt/etc/live/lpic.lt/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:65:23:38:29:33:b8:20:a2:35:a8:14:f5:6f:91:ad:8c:a3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Validity
Not Before: Feb 2 21:01:24 2019 GMT
Not After : May 3 21:01:24 2019 GMT
Subject: CN = lpic.lt
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:73:a0:52:a2:f8:88:39:55:6e:6f:98:86:64:
b9:50:a7:72:98:29:b5:81:0b:01:c0:56:c7:f1:26:
9e:6b:6c:52:5e:e4:44:2b:37:6e:83:f6:83:77:0f:
ab:50:6d:6d:b6:d2:c6:2a:8c:49:66:83:41:c5:1b:
9f:0f:2b:e6:9f:23:99:b8:00:96:35:5a:7e:97:13:
e0:3f:17:de:4a:0a:20:d8:e1:b4:8b:41:fd:4f:7b:
41:a3:bf:9a:a4:7e:ef:f4:c4:84:40:bd:cd:b3:9e:
bd:b9:76:db:65:c4:a7:50:77:fc:ec:a9:05:e8:9b:
d4:e5:e6:bd:f0:81:f4:f2:55:51:d8:58:b0:29:76:
e4:91:73:c1:fc:fd:bc:85:e7:79:d2:b6:88:21:49:
c4:67:69:70:2c:7d:86:ef:4a:2d:4e:7d:70:89:12:
8e:33:de:10:ca:06:b2:22:46:46:41:06:26:13:e0:
42:7e:e0:a3:5b:c2:f0:84:40:b1:ce:ba:ad:1e:4a:
24:3f:c4:8d:0d:78:22:7e:1e:19:40:72:40:40:dd:
93:6a:94:57:76:61:a1:71:f7:1b:68:16:f3:b7:95:
cc:5e:a2:fa:4b:cf:d5:31:20:c9:ca:5b:cf:fa:cb:
b9:6e:27:1f:c1:63:55:9c:24:ab:b4:e9:cc:83:b8:
95:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
24:5D:F1:84:95:12:C8:75:58:3D:D6:E0:D8:C9:7F:E0:E0:4F:43:14
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:ip.lpic.lt, DNS:lpic.lt, DNS:wallabag.lpic.lt
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Feb  2 22:01:24.193 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:7D:A1:90:DE:DA:38:29:70:23:00:5F:0F:
                                5A:91:8D:F1:1B:8E:3D:A4:73:F5:01:8B:E0:79:10:DE:
                                8D:94:0D:BF:02:21:00:A1:98:85:F0:A3:AF:86:D6:B7:
                                19:39:09:0F:D3:16:8A:15:07:51:2B:A2:47:8B:CF:16:
                                51:BF:F2:6B:62:10:B6
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Feb  2 22:01:24.269 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:B2:D0:D7:6E:B0:DA:54:E3:29:91:49:
                                01:88:26:65:18:87:1C:6C:D6:5C:BC:7C:22:E5:77:1D:
                                E0:D2:89:44:EA:02:20:0D:55:84:F1:69:0B:D4:4D:34:
                                9A:16:B6:EA:A6:9F:61:C9:43:C0:A2:43:D5:8B:AB:1F:
                                B7:BB:0E:40:E4:8C:E3
    Signature Algorithm: sha256WithRSAEncryption
         8c:1a:3a:d3:98:41:ec:cd:e3:3b:12:38:72:77:ff:53:b4:15:
         73:bd:b1:54:b4:95:66:15:16:13:a5:1f:5e:6a:c2:d8:18:e6:
         de:41:13:95:cc:d7:74:36:9d:27:fb:09:3c:f6:8f:b3:cf:34:
         47:85:e6:12:c2:cd:07:49:75:15:a3:2b:10:0a:99:8b:47:81:
         b8:55:48:b1:18:f1:99:d5:09:7b:48:13:b0:93:ec:8c:a2:07:
         4c:3c:07:87:f5:ba:c4:69:66:8f:dd:48:0e:12:85:bf:38:cb:
         4a:22:18:e3:ec:31:3f:eb:4f:2a:d3:42:d1:94:11:ef:b4:07:
         f8:81:f2:fe:93:a5:96:dc:40:a1:29:4e:a4:0d:56:4d:89:06:
         8a:09:c9:29:53:cf:a1:ff:5b:42:37:07:38:ed:3a:b5:c2:1d:
         21:65:02:7f:f2:27:09:66:58:5b:7d:e9:49:28:71:58:71:4f:
         20:26:22:11:7f:49:c3:97:05:0e:04:9d:5b:ab:bd:e9:03:8e:
         3f:a3:a2:b4:5d:97:d5:7c:97:d0:fc:f6:09:52:5e:b0:bb:d5:
         47:a5:51:57:e9:89:d9:9d:99:89:44:e4:34:66:b5:30:3d:5c:
         53:b2:c5:c4:7e:b3:cf:d9:ef:5b:f0:87:c6:e5:86:2f:7b:0a:
         b4:b9:fb:01
lpic@vps533441:~$ cat /home/lpic/letsencrypt/logs/certbot_renew.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /home/lpic/letsencrypt/etc/renewal/lpic.lt.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /home/lpic/letsencrypt/etc/live/lpic.lt/fullchain.pem expires on 2019-05-03 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lpic@vps533441:~$ date
Thu Mar  7 00:26:02 EET 2019
lpic@vps533441:~$

My web server is (include version): nginx 1.10.3-1+deb9u2

The operating system my web server runs on is (include version): Deb 9.8

My hosting provider, if applicable, is: OVH?

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

#2

What’s the problem? Both show the same expiry date, 2 months from now.

#3

Hi @qw3r3wq

your domain uses an expired certificate:

CN=lpic.lt
	04.12.2018
	04.03.2019
2 days expired	ip.lpic.lt, lpic.lt, wallabag.lpic.lt - 3 entries

Your config isn’t good, you have ipv6 - addresses, but your ipv6 have timeouts ( https://check-your-website.server-daten.de/?q=lpic.lt ).

But you have a valid certificate. To install your certificate: Try

certbot -d ip.lpic.lt -d lpic.lt -d wallabag.lpic.lt

then Certbot should find the new certificate and ask, if you want to reinstall it.

Creating a new certificate will not work, you have to fix your ipv6 timeouts.

Domainname Http-Status redirect Sec. G
http://lpic.lt/
51.254.39.221 301 https://lpic.lt/ 0.040 A
http://www.lpic.lt/
51.254.39.221 301 https://www.lpic.lt/ 0.040 A
http://lpic.lt/
2001:41d0:401:3200::1a16 -14 10.026 T
Timeout - The operation has timed out
http://www.lpic.lt/
2001:41d0:401:3200::1a16 -14 10.026 T
Timeout - The operation has timed out
https://www.lpic.lt/
51.254.39.221 301 https://lpic.lt/ 5.833 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://lpic.lt/
51.254.39.221 200 6.203 N
Certificate error: RemoteCertificateChainErrors
https://lpic.lt/
2001:41d0:401:3200::1a16 -14 10.027 T
Timeout - The operation has timed out
https://www.lpic.lt/
2001:41d0:401:3200::1a16 -14 10.027 T
Timeout - The operation has timed out
http://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
51.254.39.221 301 https://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.040 A
Visible Content: 301 Moved Permanently nginx
http://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
51.254.39.221 301 https://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 A
Visible Content: 301 Moved Permanently nginx
http://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:401:3200::1a16 -14 10.027 T
Timeout - The operation has timed out
Visible Content:
http://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:401:3200::1a16 -14 10.024 T
Timeout - The operation has timed out
Visible Content:
https://lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out
Visible Content:
https://www.lpic.lt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out
Visible Content:
#4

Thank you,
sorry, yes my fault, I am a bit sleepy now, but Thank you for noticeing IPv6 issue, I will double check that.

I did: systemctl rstart nginx and it works, I am not letting certbot to reload web, as it runs as different user then site and php…

_az and JuergenAuer > most missleading was May 3 (this night I read it as 5th of March :smiley: :smiley: :smiley: ) stupid me… My head was translating it to my language :slight_smile:

Thank you for help!

#5

Yep, now your non-www version is secure.

CN=lpic.lt
	02.02.2019
	03.05.2019
expires in 57 days	ip.lpic.lt, lpic.lt, wallabag.lpic.lt - 3 entries

But you have a DNS entry with your www - version, the certificate doesn’t have this domain name -> so your www version isn’t good.

#6

hm, I think I have *.lpic.lt CNAME to lpic.lt… But it is a good idea to add at least www to cert (does anyone still use it?)

#7

A CNAME is a DNS entry. That has no effect to your certificate.

If your certificate has only lpic.lt and a user uses www.lpic.lt, then the user has a warning message.

Some users add never www. Some users add www every time.

So if the domain is a main domain (not a subdomain), it’s always good to have

  • two dns entries www + non-www
  • two http hosts (or one http host with both domain names)
  • one certificate with both domain names and two https hosts (or one with both)
  • correct redirects http -> https and https + not preferred -> https + preferred version

So all users use https and see the same url.

And it’s country specific. In Germany, most domains use the www version.

1 Like
#8

To expand on this distinction:

  • the web browser uses the content of the CNAME (and/or A or AAAA) DNS record to figure out what server to connect to,
  • but the web browser uses the name typed by the user to figure out whether the certificate returned by that server is valid or not
closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.