Certificate expired

Blisk · July 18, 2022, 10:44am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://yourtop.news

I ran this command:

It produced this output:

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version):
letsencrypt runs on opensense with haproxy

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

When I check certificate it is renewed but when I browse page it finds old one.

danb35 · July 18, 2022, 11:18am

Are you restarting haproxy after issuing/renewing the cert?

Blisk · July 18, 2022, 11:45am

yes, I restarted whole firewall and it is the same

MikeMcQ · July 18, 2022, 1:57pm

Do you make a copy of the renewed cert for haproxy? If so, could you have forgotten to update the copy?

danb35 · July 18, 2022, 4:40pm

I don't understand what's happening here. What do you do when you "browse page", and how does it "find old one"? How is haproxy on your OPNsense box related to what you're seeing when you "browse page"?

Blisk · July 18, 2022, 5:08pm

you can check by yourself http://yourtop.news because I am confused here.
How it is related to opensense. on opensense it is letsencrypt installed and all certificates for differend web pages on differend servers. There is only one external IP for multiple sites.

rg305 · July 18, 2022, 5:30pm

I see:

rg305 · July 18, 2022, 5:32pm

Can we see the output of?:
apachectl -t -D DUMP_VHOSTS

Bruce5051 · July 18, 2022, 5:34pm

Using SSL Checker - Check SSL Certificate I see:

Blisk · July 18, 2022, 6:14pm

Yes as I said certificate expired but in opensense it is renewed and valid.
this is on server where web page is.

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server phpmyadmin.yourtop.news (/etc/httpd/conf.d/phpMyAdmin.conf:7)
         port 80 namevhost phpmyadmin.yourtop.news (/etc/httpd/conf.d/phpMyAdmin.conf:7)
         port 80 namevhost mail.yourtop.news (/etc/httpd/conf.d/roundcubemail.conf:11)
                 alias roundcube.yourtop.news
         port 80 namevhost yourtop.news (/etc/httpd/conf.d/yourtopnews.conf:1)
                 alias www.yourtop.news

rg305 · July 18, 2022, 9:09pm

Please show this file:

rg305 · July 18, 2022, 10:14pm

Where does port 443 go?
[ I just noticed that Apache is only serving port 80 ]

Blisk · July 19, 2022, 5:30am

yes apache server only port 80. below is apache config.
port 80 is redirected in haproxy to port 443 and it should take certificate from letsecnryprt in opensense.

<VirtualHost *:80>
DocumentRoot /var/www/html/yourtop/
ServerName yourtop.news
ServerAlias www.yourtop.news
ServerPath /var/www/html/yourtop
Alias /yourtopnews "/var/www/html/yourtop"


ErrorLog "logs/yourtop.news.error_log"
CustomLog "logs/yourtop.news.access_log" combined

<Directory "/var/www/html/yourtop">
 Order allow,deny
  Allow from all
</Directory>

</VirtualHost>

rg305 · July 19, 2022, 4:01pm

What I meant was:
If there a NAT device, where do the inbound port 443 connections go?
[ I see that the port 80 connections go to Apache ]

danb35 · July 19, 2022, 4:58pm

What it sounds like OP is describing is that HAProxy is running on his OPNsense box. It's handling TLS termination for (apparently) more than one website and acting as a reverse proxy to those sites.

Blisk · July 20, 2022, 9:03am

yes and that worked until certificate expired, now I am stuck and don't know what can be wrong? haproxy? Acme? or something in firewall or port forward?

MikeMcQ · July 20, 2022, 12:20pm

Have you checked your haproxy config for the cert location or file name?

I understand haproxy terminates the SSL connection so would need a cert for that. I saw this blog post on haproxy site. Perhaps its config is using your older cert?

Blisk · July 21, 2022, 1:54pm

Ok thank you I will check this. But still don't know why this works before certificate expired.

MikeMcQ · July 21, 2022, 2:00pm

Because something in your system is still sending out the expired cert.

system · August 20, 2022, 2:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate expired Help	17	2739	November 30, 2021
Cert Expired Renewed Cert Still Expired? Help	37	1091	April 8, 2024
My website certificate is expired Help	10	1305	May 10, 2019
Certificate Expired how do I renew Help	2	3106	September 6, 2019
Certificate Expired . Not sure what to do. Newbie Help	3	575	August 8, 2019

Certificate expired

Related topics