Certificate is expired but certbot renew reports that certs are up-to-date


#1

My website is https://joplin.cozic.net/

Since yesterday the SSL certificate appears to be expired, however certbot was set to auto-renew, and indeed if I manually run certbot renew, it says that the certs are up-to-date:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cozic.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/appetizer.cozic.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/cozic.net/fullchain.pem expires on 2018-08-02 (skipped)
  /etc/letsencrypt/live/appetizer.cozic.net/fullchain.pem expires on 2018-08-02 (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

I’ve restarted my Apache server to be sure but that didn’t help. Any idea what could be the issue?


#2

Hi @laurent22,

According to

https://crt.sh/?Identity=%cozic.net&iCAID=16418

there is a certificate for joplin.cozic.net that expired yesterday, but this certificate is distinct from those for cozic.net and appetizer.cozic.net, which indeed remain valid until August 2. Your copy of Certbot doesn’t seem to be managing renewals for the joplin.cozic.net certificate.

Is it possible that you obtained this certificate on a different server and then copied it onto this server, or that you somehow altered the name or structure of the files or directories within /etc/letsencrypt?


#3

As a followup, the DNS for joplin.cozic.net points to a completely different place from the other two names. It seems that joplin.cozic.net isn’t hosted on the same server at all and is pointed to github.io infrastructure itself hosted by the Fastly CDN. Perhaps its certificates, though also obtained from Let’s Encrypt, are managed by a different process or entity (maybe by either GitHub or the Fastly CDN)?


#4

Thanks, that’s right I forgot that this domain was actually a GitHub Pages. They’ve silently enabled https a few months ago and now it seems they’ve disabled it without warnings. I’ll contact them and check with them.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.