Certificate changing from Valid to Invalid intermitently

Hi There,

I keep running into the problem where I am being blocked by an Error: NET::ERR_CERT_DATE_INVALID / Your connection is not private. But it's happening intermittently.

One minute it will be fine, showing the new certificate valid till August, the next it will show the old certificate and not let me through. Any advice would be much appreciated.

My domain is: www.pookpress.co.uk

Thanks

1 Like

I can reproduce your problem consistently.

This is most certainly because you have a stuck Apache worker still using the prior cert. You may need to restart your server to clear that.

If you are very skilled you could check all the running processes and kill the Apache workers that look old. But, easiest is to restart server if it's not too much downtime.

6 Likes

I also see this:

Name:      pookpress.co.uk
Addresses: 2606:4700:3036::ac43:8aea
           2606:4700:3035::6815:38f5
           172.64.80.1

Name:    www.pookpress.co.uk
Address: 79.125.108.58
4 Likes

I also see this:

curl -Ii http://www.pookpress.co.uk/x/y/z
HTTP/1.1 301 Moved Permanently
Date: Wed, 14 Jun 2023 12:31:06 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://www.pookpress.co.uk//x/y/z

Notice the extra "/" after "uk".

4 Likes

Looks like lots of problems. Note the www domain fails every third check or so just with routine openssl cert checks

The root domain and redirect problems you point out are extra:-)

5 Likes

Yes, could be low memory issues OR bad script logic/timing that has left orphan processes running.
Your recommendation is spot on:

And, yes, my findings are in addition to that.
Hopefully they can address them all before closing this topic.

4 Likes

This [or something else] seems to have been ongoing for months:
image
As shown, 9 out of last 13 renewals have been done well below the expected 60 day interval.
The yellow on the right is the cert popping up intermittently.
Likely long before May 17th.
It just would have been valid before then and would have gone unnoticed.

3 Likes

These are Cloudflare IPs. That means that the CT logs may include Cloudflare requests, although those would be unlikely to be late. It also means that Cloudflare settings may be interfering with origin renewals. It is unusual to see the apex name proxied and the www hostname set to DNS Only.

6 Likes

Maybe...
But the www name isn't using Cloudflare.
I listed only www entries.

Yes, that seems backwards - LOL

4 Likes

Thank you so much for all your responses. I am not very skilled, but I know a guy who is, so I will pass on your helpful advice and see if we can get this sorted :slight_smile:

Many Thanks!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.