Certificate error (date invalid)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: admin.workandtravel.world

I ran this command:

It produced this output:

My web server is (include version):
apache2 and php 8
The operating system my web server runs on is (include version):
debian 11.7
My hosting provider, if applicable, is:
not the problem
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.12.0

the problem is, when i renew a certificate it runs an error date invalid and it says that my certificate is due for renewal, i have checked certbot, and it looks like it is using old certificates in the browser while i manually installed new ones with this command:

certbot certonly --manual --preferred-challenges=dns --email info@universeorange.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.workandtravel.world -d workandtravel.world

i had to restart the webserver and run certbot the get back to live, never mind...

You probably didn't check Certbot. Checking Certbot would be done using the command sudo certbot certificates and not using a browser. When using a browser, you're actually just checking Apache.

Also, when using the certonly subcommand, Apache isn't automatically reloaded. So unless you've set up a --deploy-hook with a reload command, you indeed would need to do that manually too. But that's not Certbots fault.

2 Likes

well my server (apache2) should restart every night at 1 minute past 12. not implemented yet but a compare of html with a snapshot will keep the server up and running or send an error email.
thanks for the certbot certificates command, can it also output it in json format, that would be a nice feature.

Do you know how to get the certificates from a headless chrome browser ?

with kind regards,

Remco van der Velde

Can you?

openssl s_client -connect admin.workandtravel.world:443 -showcerts 

You might need to add -servername admin.workandtravel.world if your openssl is old.

Many examples in google for parsing certs into X509 info

2 Likes

A reload should work better.

That only updates the cert.

That leaves room for improvement - automation is the goal.

That needs an update.
Follow the recommended installation instructions:
Certbot (eff.org)

2 Likes

Check the system time on both your server and the client machine you are browsing from. Their system time has to be correct, synced with an (internet) time service.

2 Likes

You are right, but currently no time to improve it.

I have lets encrypt tasks

wat init --restore-lets-encrypt & wat init --backup-lets-encrypt which makes a copy (zip) and restores the zip into lets encrypt directory. if you do it like that, lets encrypt needs improvement too, because the challanges don't have to change everytime because it also stores a session.
This isn't working properly yet

I am currently on debian 11 and will migrate to debian 12. we are a small team and there is more todo then renew certificates.

That i am not automating through your code shouldn't be a problem. why refresh dns challenges so often for example, those can be valid for 5 years ? so the first time is manual and then with a restore (You keep all certificates) you get a new one because you have the previous one and the challenges right... also room to think, automation is the goal

That is not possible - the challenges must change with every request.
LE doesn't make the rules, it follows them.

2 Likes

If i test the certificates i can only try it 5 times a day and then need to wait 2 days before we get secure again ? My backup / restore got messed up and now its unsecure but working on my machine...

is there a way to get new certificates or a setting to test certificates backups for example (I move them to a seperate data directory and wanna backup that stuff so i don't run into issues

The domain you own today could be controlled by someone else tomorrow. The validation process is to confirm you currently control the domain.

2 Likes

Are you issuing new certs 5 times per day?

2 Likes

testing my backup zip of the certificates, yes...

If you backup the /etc/letsencrypt/ folder [with symlinks], you should be able to restore it [fully functional].

2 Likes

You need to "test" using the testing environment - NOT production.

2 Likes

i tested it, and the certbot renew prompt is not working then, if i put it back with a script (copy the full folder and restore it)

i did not know of a testing environment, i will check that out later

Please use more words...
I don't fully understand what you are saying.

2 Likes

How?
Did it provide an error message?

1 Like

i make a zip of the folder /etc/letsencrypt/ to backup the certificates.

i have a wat init --restore-lets-encrypt command which restores the files and the symlinks inside /etc/letsencrypt. certbot renew should then work, and the first time is then only manual to setup the encryption. certbot renew is fixing something is says. and then certbot renew isn;t working.

So what i am saying is. First time manual dns challenge and then auto-renew / backup / restore should work