Certificate expired - certs are not due for renewal yet


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jla787.com

I ran this command: letsencrypt renew

It produced this output:
Processing /etc/letsencrypt/renewal/jla787.com.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/jla787.com/fullchain.pem (skipped)
No renewals were attempted.

My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.1 LTS

My hosting provider, if applicable, is:
ramnode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


Looks like my browser sees the old crt.sh IDs logged at 2018-07-09, and not the newer ones

Nginx error logs have OCSP errors :
2018/10/20 07:24:47 [error] 2402#2402: OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

But when I click to check OCSP status from the latest IDs on crt.sh, the status returns Good

I am stabbing in the dark beyond my ken.


#2

If you run “sudo letsencrypt certificates”, what does it show? If you’re running letsencrypt 0.4.1 from the Ubuntu repository, it probably doesn’t support that command, and it will just give an error, but it’s worth a shot.

What does “sudo openssl x509 -dates -noout -in /etc/letsencrypt/live/jla787.com/fullchain.pem” show?

If you run “sudo nginx -T”, what ssl_certificate and ssl_certificate_key directives does it show?

Does “sudo systemctl reload nginx” help?

What command did you use to get the certificate originally?

There is a certificate in existence:

https://crt.sh/?q=%jla787.com

It was issued on September 10, which is just right for Certbot’s default renewal settings.

The question is why your web server isn’t using it.

Is the clock correct? 2018-10-20 was a while ago. Are there more recent errors?


#3

sudo letsencrypt certificates
letsencrypt: error: unrecognized arguments: certificates

sudo openssl x509 -dates -noout -in /etc/letsencrypt/live/jla787.com/fullchain.pem notBefore=Sep 10 08:47:08 2018 GMT notAfter=Dec 9 08:47:08 2018 GMT

sudo nginx -T | grep ssl_certificate ssl_certificate /etc/letsencrypt/live/jla787.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jla787.com/privkey.pem;

What command did you use to get the certificate originally?

I can’t remember. This is from my history:
sudo letsencrypt certonly --webroot -w /var/www/html -d jla787.com -d lotgd.jla787.com

Is the clock correct? 2018-10-20 was a while ago. Are there more recent errors?

Yes
2018/11/04 07:55:20 [error] 2402#2402: OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org


#4

Hi @razermackham

checked your website, I see a valide certificate.

com

Created 2018-09-10, so there is no renew required.

Is it only a cache problem of your browser?


#5

Your server is using the new certificate now. :smile:

Did "sudo systemctl reload nginx” do the trick?

When you use “certonly --webroot”, you have to configure something to reload Nginx after the certificate is renewed. Certbot can do this if you pass “--renew-hook 'systemctl reload nginx’” to it.

(For future reference, --deploy-hook is preferred in newer versions of Certbot.)

If I remember correctly, there’s a directory in /etc/letsencrypt/ where you can put shell scripts that run on renewal. /etc/letsencrypt/renew-hooks.d/ or something like that.

(This was a nonstandard thing provided by the package. In newer versions of Certbot, it’s built-in and called /etc/letsencrypt/renewal-hooks/deploy/.)


#6

Yes. I was reading about Certbot in other posts. Seems like I need to update :slight_smile: