Certificate Installed & Valid & Working. But certbot certificates shows the expired cert

[Im new here. And my previous programmar did this job. Sorry if this sounds silly]

The certificate is working fine in . And I have checked the validity of my certificate in from different platforms (browser & different third party certificate check websites). All show the cert is valid with the same expiry date (07/12/2021).

However, when I certbot certificates, it says my certificate is expired, and has a different expiry date (25/09/2021).

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/<mydomain>.conf with version 0.31.0 of Certbot. This might not work.
OCSP check failed for /etc/letsencrypt/live/<mydomain>/cert.pem (are we offline?)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: <mydomain>
    Domains: <mydomain>
    Expiry Date: 2021-09-25 14:08:28+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/<mydomain>/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/<mydomain>/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Then I further investigated. and go to crt.sh. I found the following info.

I am surprised the cert issued on Mar 12 has been renewing every 2 months AUTOMATICALLY. However, there's no such info when I run certbot certificates.

So I went checking the corresponding certificate folders in my server.

$ sudo ls -la /etc/letsencrypt/live/<mydomain>/
total 12
drwxr-xr-x 2 root root 4096 Jun 27 15:08 .
drwx------ 4 root root 4096 Mar 12  2021 ..
-rw-r--r-- 1 root root  692 Mar 12  2021 README
lrwxrwxrwx 1 root root   37 Jun 27 15:08 cert.pem -> ../../archive/<mydomain>/cert2.pem
lrwxrwxrwx 1 root root   38 Jun 27 15:08 chain.pem -> ../../archive/<mydomain>/chain2.pem
lrwxrwxrwx 1 root root   42 Jun 27 15:08 fullchain.pem -> ../../archive/<mydomain>/fullchain2.pem
lrwxrwxrwx 1 root root   40 Jun 27 15:08 privkey.pem -> ../../archive/<mydomain>/privkey2.pem

Further getting into the archive folder

$ sudo ls -la /etc/letsencrypt/archive/<mydomain>/
total 44
drwxr-xr-x 2 root root 4096 Jun 27 15:08 .
drwx------ 5 root root 4096 Mar 12  2021 ..
-rw-r--r-- 1 root root 1834 Mar 12  2021 cert1.pem
-rw-r--r-- 1 root root 1838 Jun 27 15:08 cert2.pem
-rw-r--r-- 1 root root 1586 Mar 12  2021 chain1.pem
-rw-r--r-- 1 root root 3749 Jun 27 15:08 chain2.pem
-rw-r--r-- 1 root root 3420 Mar 12  2021 fullchain1.pem
-rw-r--r-- 1 root root 5587 Jun 27 15:08 fullchain2.pem
-rw------- 1 root root 1704 Mar 12  2021 privkey1.pem
-rw------- 1 root root 1708 Jun 27 15:08 privkey2.pem

I realized there IS the cert issued on Mar 12 in my server. However, it's not showing the updating certificate info in my server. And it's symlink to the one that is issued on Jun 27.

For Automatic renewal, I checked my certbot service too. It seems nothing special with this.

/lib/systemd/system$ cat certbot.timer
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target
/lib/systemd/system$ cat certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

So, why does it happen? Is it possible for the key to be stored somewhere else with automatic renewal enabled somewhere else after the initial creation in this server on Mar 12?

I mean this doesn't hurt, since the certificate is working with auto renewal. Just that my boss is asking me why it is showing expired in the server. And I have no clue AT ALL.

Is the date and time correct on the machine you checking the certificate with certbot?

@lanxu It looks to me like you are on a different machine than the one more regularly renewing the certs. I say this because:

The crt.sh history show two certs issued on Mar12
(if you use the Advanced setting: deDuplicate it will be clearer)

But, only one of those has auto-renewed in months 05, 07, and 09

The second one on Mar12 never auto-renewed but may have renewed in Jul

The cert on 06-27 is odd and on no schedule. Perhaps some testing which was repeated in Jul to account for why there were two in Jul?

The file dates in /archive are from Jun27 and Mar12 which confirm the odd ones.

I assume all the names in the columns you blanked were the same. If not we would have more clues.

2 Likes

You've hidden so much that even the (obscured) information provided leaves much to the imagination.
Like:

  • Are all the names on those certs identical?
    If so, have you ever setup an ACME client to use DNS authentication?
    If not, why are you asking about two different names?
    If so (#2), have you ever setup multiple AMCE clients on the same system?
    [like: certbot and acme.sh...]
    If not (#2), have you ever manually (or via script) edited any files/folders/etc. with the path /etc/letsencrypt/?
    If so, then you may benefit from uninstalling certbot and reinstalling it.
    If not (#3) I can't explain how this can be happening... go back and reread the choices.
1 Like

@MikeMcQ @rg305
Sorry for the confusion. Yup, the names hidden on those columns are all the same, which is my <mydomain>.

This is the result after I used deDuplicate

You are right. There are 2 certificates created on Mar 12.
The first one was created on 2021-03-12 13:24:13 UTC
The second one was created on 2021-03-12 13:26:07 UTC

And then I checked the timestamp of the cert created on 12/03/2021 in my machine.

sudo stat /etc/letsencrypt/archive/<mydomain>/cert1.pem
  File: /etc/letsencrypt/archive/<mydomain>/cert1.pem
Access: 2021-06-27 10:29:04.683845806 +0000
Modify: 2021-03-12 13:24:15.104769871 +0000
Change: 2021-03-12 13:24:15.104769871 +0000

The one in my machine should be the first one shown in crt.sh.
Looks like my machine doesn't have the second one.

Yup, that's why I am thinking. I am on a different machine. But I have been checking different machines. Still could not find it. I will try to keep looking for the machine.

Yup, there are 2 certificates (the first one in Mar 12 and Jun 27) in my machine that matches with the date/time in the crt.sh result.

1 Like

No acme.sh on the same system.
No manually edited files in that path.
Like what @MikeMcQ said, I am probably on a different machine. I gonna keep trying in different machines...

You skipped one question:

@lanxu In your server conf, what is the path and name of the cert file? Does that help identify the source?

You are RIGHT!
I was finally able to contact my previous programmar. He did set up an ACME client for that.
So, problem solved!

1 Like

@MikeMcQ @rg305 @Bruce5051
Thank you guys for your help!

3 Likes