Certicate is not valid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.scineuromodulation.com

I ran this command:
/snap/bin/certbot renew --allow-subset-of-names

It produced this output:
Processing /etc/letsencrypt/renewal/scineuromodulation.com.conf


Certificate not yet due for renewal

My web server is (include version):
Ubuntu 20.04 nginx

The operating system my web server runs on is (include version):
nginx/1.18.0 (Ubuntu)

My hosting provider, if applicable, is:
google cloud

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.7.0

www and base domain is different thing, get a new certificate with both www version and without www

3 Likes

There is both www and bare domain in the config. That site has been using cerbot for several years, with no issues. Until now. I got an email from 'Let's Encrypt Expiry Bot' . The cert was renewed on Sept 20.

when I connect https://www.sci~~~~.com servers certificate it just for scineuromodulation.com, and doesn't cover www.scineuromodulation.com your last cerficiate from 2023/8/1 did cover both but newest certificate on 2023/9/30 doesn't

3 Likes

How to fix?

" /etc/letsencrypt/live/scineuromodulation.com/fullchain.pem expires on 2023-12-29 (skipped)"

create a new certificate
certbot --nginx -d name1 -d name2

3 Likes

I get this when I run that:

(U)pdate key type/(K)eep existing key type:

I don't what it wants?

An RSA certificate named scineuromodulation.com already exists. Do you want to
update its key type to ECDSA?

If answer yes, it just keeps saying the same thing:

(U)pdate key type/(K)eep existing key type: ECDSA
(U)pdate key type/(K)eep existing key type: yes
(U)pdate key type/(K)eep existing key type: YES
(U)pdate key type/(K)eep existing key type: y
(U)pdate key type/(K)eep existing key type:

not much matter, toss a coin or keep it

2 Likes

how so? What is the right answer? I don't care about ECDSA.

Please show the output of the command:

sudo certbot certificates

Sounds like you have multiple certificates and your webserver is using the incorrect one.

3 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: assentushealth.com
Serial Number: 4880b622e5a6d483c7ce8f4d7e3b816a563
Key Type: RSA
Domains: assentushealth.com www.assentushealth.com
Expiry Date: 2023-12-02 06:11:44+00:00 (VALID: 52 days)
Certificate Path: /etc/letsencrypt/live/assentushealth.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/assentushealth.com/privkey.pem
Certificate Name: lakejericho.com
Serial Number: 4b4eecaa3b6fabeadb48e5509c60f043bdd
Key Type: RSA
Domains: lakejericho.com www.lakejericho.com
Expiry Date: 2023-12-10 05:06:15+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/lakejericho.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lakejericho.com/privkey.pem
Certificate Name: lorialdrycleaners.com
Serial Number: 4af887c26f95d078397f9081e1140236f82
Key Type: RSA
Domains: www.lorialdrycleaners.com
Expiry Date: 2023-11-23 10:38:05+00:00 (VALID: 43 days)
Certificate Path: /etc/letsencrypt/live/lorialdrycleaners.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lorialdrycleaners.com/privkey.pem
Certificate Name: recoverytapers.org
Serial Number: 352ab47b1144d9dd53ecddba0a95c902443
Key Type: RSA
Domains: recoverytapers.org www.recoverytapers.org
Expiry Date: 2023-12-16 05:01:47+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/recoverytapers.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/recoverytapers.org/privkey.pem
Certificate Name: scineuromodulation.com
Serial Number: 332f07cad539194ec943842671d3d370437
Key Type: RSA
Domains: scineuromodulation.com
Expiry Date: 2023-12-29 05:04:13+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/scineuromodulation.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/scineuromodulation.com/privkey.pem

So it looks like you don't have a certificate valid for scineuromodulation.com currently any longer. You used to have that tho, see crt.sh | scineuromodulation.com. For some reason the www part got removed. Using --allow-subset-of-names might have caused that.

I agree with @orangepizza that getting a new certificate with both hostnames is the way to go now. Answering "yes" or "no" to a "do you want oranges or apples?" is not the correct answer by the way. Certbot was asking you to update, by answering with a "U" or to keep the current key type by answering with a "K". Not yes/no.

4 Likes

That did it! Thx!

2 Likes

https://www.scineuromodulation.com/

In this case, I think @Osiris was saying that you might have created this discrepancy by using --allow-subset-of-names in the past, and not suggesting that you use it now in order to fix the discrepancy.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.