Certificate expired error - but doesn't need renewed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Oscar.action-engineering.com
oscartest.action-engineering.com

I ran this command: winacme

It produced this output: [Manual] oscartest.action-engineering.com - renewed 19 times, due after 6/22/2021 4:29:36 AM

My web server is (include version): not sure

The operating system my web server runs on is (include version): windows server 2019

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.6.773.x64.pluggable

I renewed the certificate for both servers on 4/28 - all went fine. on Saturday 5/8 - the client informed me that the website is reporting the certificate is invalid, I checked and it is invalid for both production and test. I checked the renewal with winacme, and it says it does not need to be renewed yet and is not expired. I try to force the renewal and get an error due to the maintenance:

(AcmeProtocolException): The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.

don't understand why it says the certificate is expired when it is not.

thank you for any help

2

Let´s Encryt say:

[Update] Our apologies for trouble this extended maintenance may be causing. We're revising the completion time out to 18:30 UTC out of an abundance of caution.

At the moment Let's Encrypt servers are under maintenance, certificate APis are temporarily unavailable.

1 Like
4

I saw that on the status page - which explains why I can't renew - but why is my cert marked as expired in the first place - when it is not expired - I renewed it a little over a week ago on 4/28.

also I am using acmev2 not v1 - which is also confusing as to why this maintenance would affect my cert.

5

Your webserver is probably serving an older certificate. You might need to restart some services to get your system to use the new (renewed) certificate.

6

I tried rebooting both servers - which did not work - and should be the same as restarting services - or is there a different process I need to follow? any way to check which certs are being served? only one is listed in winacme...

Thank you!

(apologies for not having all details - inherited this from someone and still figuring out how he set this all up)

7

it also is interesting to me that both servers would have the same issue starting at the same time...

8

I figured out that the certificate being served was here:

C:\Users\Administrator\AppData\Local\ASP.NET\Certificates\oscartest.action-engineering.com.pfx

and for some reason when renewing winacme was not copying the new certificate here (I checked the settings). I recreated the renewal, and it now copies the files here.

test server is now fixed, however on production I am trying to do the same thing, and it successfully copies the pix file, but not the .key file - I see this message on renewal:

No key entries found

now I can't start my web app

test does not show this - can anyone help with this last part?

9

got it! the winacme json file somehow had the default password set to "password" instead of null to allow user input so I could set it to none...

still all of this seems odd to suddenly show up - no problems with the other 2 renewals I did.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.