Certifcate expired - failed to renew


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://drfs.co.uk

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: TSO Host

I can login to a root shell on my machine (yes or no, or I don’t know): I dont know.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Control - Gridhost


#2

How did you issue the certificate in the first place, back at the start of December?

Did your control panel provide some kind of facility to do it, or did you manually upload a certificate?

If you used https://help.tsohost.com/knowledge-base/article/4934 , I think your best bet is probably to reach out to your web host and ask them about it.

Edit: Actually, this may be the issue: the HTTP to HTTPS redirect on your site is wiping out the path that is used to validate your domain for SSL.

This would prevent your certificate from renewing.

$ curl -i drfs.co.uk/.well-known/acme-challenge/xxx
HTTP/1.1 301 Moved Permanently
Date: Thu, 08 Mar 2018 21:33:13 GMT
Server: Apache
Location: https://drfs.co.uk/
Content-Length: 227
Connection: close
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: DYNSRV=lin120; path=/

Can you show us how your HTTP to HTTPS redirect is implemented?


#3

Thanks for your reply.

Yes the certificate was installed via hosting control panel.

Re the HTTP to HTTPS redirect, I’m a bit lost on this, but I do remeber doing this:

To force https:// for all other Linux sites;

_ Click “File manager” » public_html. Then right click on the .htaccess file and select “edit text file’_

_ Add the following code to the top of your .htaccess file: _

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://exampledomain.com/$1 [R=301,L]

_ Replace https://exampledomain.com/$1 with your domain name_

_ To finish click “Ok”_


#4

If you had implemented that advice as it was written, your redirect would not be behaving as it is currently. But it should be easy to fix!

Could you download your .htaccess file and show us its contents?


#5

Yes will do, having issues connecting FTP now… will post copy of my .htaccess ASAP. Thanks.


#6

Well, the instruction says to change example.tld/$1 to realhost.tld. Notice the lack of /$1 in the latter. Removing the $1 will result in the problem @SMB us having now. The instructions therefore were unclear or just simply erroneous.

@SMB You should look again at the instructions for the redirect and read the last part as followed: "Replace the “exampledomain.com” in the part which says https://exampledomain.com/$1 with your domain name, leaving the rest intact, especially the “/$1” part.”


#7

Hi, yes I had replaced the “exampledomain” with my domain.

Here’s .htaccess file

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://drfs.co.uk/ [R=301,L]

AddType x-httpd-php53 .php


#8

Change that to:

RewriteRule ^(.*)$ https://drfs.co.uk/$1 [R=301,L]

#9

Thanks I’ve done that, is matter of wating for certifcate to auto renew? it was originally valid until 2/3/18.


#10

The redirect appears to work well now.

Perhaps you can try to issue the certificate again from the control panel. Failing that, I would reach out to your web host to be sure that it is going to try renewal, and to check that it succeeds when it does.


#11

Ok, thanks very much for your help, really appreciated.

Thanks

Darren


#12

Hey @SMB,

If you’re interested, I recently launched https://padlockspy.com for monitoring of SSLs, including expiry reminders, feel free to check it out. Let me know what you think :slight_smile:


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.