Certificate expired

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

The fellow that was updating our certificate has gone on vacation.

My domain is: https://www.startupsshowcase.com

I ran this command: entered the URL https://www.startupsshowcase.com

It produced this output: website not trusted

My web server is (include version): https://www.startupsshowcase.com

The operating system my web server runs on is (include version): Not sure

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Not sure if its on guthub or aws

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Server Key and Certificate #1
Subject livesharkstank.co
Fingerprint SHA256: dc9cd0a8218cb24fbde1cc61b0bad8b19536943b0deffed67f69ebff0eb4ea8b
Pin SHA256: ragNVekHhd5l7u86b8gduUHYxeK+Z40p/0ZGH5e5yJ0=
Common names livesharkstank.co
Alternative names livesharkstank.co startupsshowcase.com www.livesharkstank.co www.startupsshowcase.com
Serial Number 0429f57fbe74b16a0166ada53ca0e28a3d47
Valid from Mon, 18 Sep 2023 15:59:26 UTC
Valid until Sun, 17 Dec 2023 15:59:25 UTC (expired 5 days, 2 hours ago) **EXPIRED**
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer R3
AIA: http://r3.i.lencr.org/
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency **Yes (certificate)**
OCSP Must Staple No
Revocation information OCSP
OCSP: http://r3.o.lencr.org
Revocation status Unchecked (only trusted certificates can be checked)
DNS CAA No ([more info]*1)
Trusted No **NOT TRUSTED** ([Why?]*2)
Mozilla Apple Android Java Windows

*1: CAA Mandated by CA/Browser Forum | Qualys Security Blog
*2: SSL Server Test: www.startupsshowcase.com (Powered by Qualys SSL Labs)

2

Usually there's software running that automatically renews and installs the certificates.

You're going to need to find the answers to those questions. Even if someone here magically gave you a certificate (which we can't, as the whole process is run by software on your systems), you would need to be able to install it.

5 Likes
3

Hi Peter,

Thanks for the feedback. Yes looking for some help figuring out the steps to update the certificate.

Thanks,
_J
:slight_smile:

1 Like
4

@JoseDeDios how did you originally get a certificate issued?

2 Likes
5

We're trying to help, but we just don't have any more to go on than you do. You need to look at the logs of whatever program you have running on your server that creates the certificate in order to see why it's no longer automatically renewing. There are a lot of options for what that program might be, but you could start with trying to run sudo certbot certificates if you can log in, just in case it's certbot which is pretty popular.

3 Likes
6

Hi Bruce,
The fellow that is on vacation got those issued.

Issuer name: Let's Encrypt

R3: Internet Security Research Group

ISRG Root X1: Digital Signature Trust Co.

1 Like
7

Without access, even if you knew what to do, you won't be able to do anything.
You going to have to find a way in OR wait for the person who can get in to return.

2 Likes
8

@rg305,

Ok, I can login to both the AWS and Github for the websites.
https://www.livesharkstank.co and https://www.startupsshowcase.com

I will need to figure out how to update the certificate.

9

Those domains are handled by an nginx server. If you can show us the lines from your nginx config that describe the certs we can probably give better advice. Look for line(s) like ssl_certificate

5 Likes
10

Hi MikeMcQ,

How did you determine that my domains are handled by nginx server?

Thanks,
_J

11

Because your server says so in the HTTP response headers :slight_smile: That is pretty standard in servers.

curl -ik https://livesharkstank.co
HTTP/1.1 200 OK
Server: nginx
X-Powered-By: PHP/5.5.9-1ubuntu4.29
4 Likes
12

Got it. I'm just learning and appreciate your input. :slight_smile:

4 Likes
13

Normally the -k option is best to avoid as it connects but ignores cert security checks. In this case I was running on a sandboxed server and knew something about your situation so it was helpful.

I don't recommend making it a habit :slight_smile:

5 Likes
14

See here SSL Checker

Expired:	 Yes (expired 6 days ago)
2 Likes
15

What shows?:
grep -Ri certificate /etc/nginx

4 Likes
16

can you guide me on how the connections with nginx & AWS E2 works?

17

I don't think people here are going to be able to give you a full course in how to administrate your server. AWS has documentation on how to connect (and we're just guessing that your server is running Linux), but it is assuming that you know what you're doing on the VM once you're connected to it. If you can give the output of some of the commands above (like grep -Ri certificate /etc/nginx and sudo certbot certificates), people here might be able to try to point you in the right direction. But your problem isn't actually at its core "the certificate expired", it's that software running on the server (which is supposed to handling all that) isn't working and you need to find someone who can figure out what software that is and dig into its logs to find the problem.

6 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.