Certificate is new but wget is telling me it is expired

This system is running smoothly since 2019. On Aug, 15 certbot renewed the certificate, after that any connection to the web site failed, the browser keeps loading forever.

Using wget to access the home page it seems an issue with expired certificate, but the following command at the console:
certbot certificates

produced the following output:

Found the following certs:
  Certificate Name: cartoonia.no-ip.org
    Domains: cartoonia.no-ip.org
    Expiry Date: 2022-11-20 07:11:47+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/cartoonia.no-ip.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cartoonia.no-ip.org/privkey.pem

My domain is:
cartoonia.no-ip.org

I ran this command:
wget https://cartoonia.no-ip.org

It produced this output:

--2022-08-22 08:57:36--  https://cartoonia.no-ip.org/
Resolving cartoonia.no-ip.org (cartoonia.no-ip.org)... 2.44.51.50
Connecting to cartoonia.no-ip.org (cartoonia.no-ip.org)|2.44.51.50|:443... connected.
ERROR: cannot verify cartoonia.no-ip.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
  Issued certificate has expired.
To connect to cartoonia.no-ip.org insecurely, use `--no-check-certificate'.

My web server is (include version):
Apache/2.4.25

The operating system my web server runs on is (include version):
Raspbian 9

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.28.0

The cert your server sends look ok to me. I see the fresh cert using openssl from my own test server. And, even this SSL Decoder test site sees the new one.

Did you restart your server since you posted to fix this? Are you still getting problems from your wget test?

3 Likes

Thanks for your support, @MikeMcQ

Yes, I restarted Apache a couple of times but the issue is still there, not only with wget but also using curl:

curl -GET  https://cartoonia.no-ip.org
curl: (58) could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?)
1 Like

What machine are you making that curl and wget request from?

Because from the public internet it looks fine. Even SSL Labs sees the fresh cert

I assume you are trying from your local network. Can you try from the public internet like using a phone with wifi disabled?

3 Likes

Oh, that fails for me too. But, why use -GET just do:
(-i does GET and shows headers. Leaving -GET off works fine too)

curl -i https://cartoonia.no-ip.org
HTTP/1.1 200 OK
Date: Mon, 22 Aug 2022 15:54:06 GMT
Server: Apache/2.4.25 (Raspbian)
Last-Modified: Sat, 16 Apr 2022 18:41:39 GMT
ETag: "39-5dcc9e0ad8db7"
Accept-Ranges: bytes
Content-Length: 57
Content-Type: text/html

<html>
<head>
</head>
<body>
Ad Maiora!
</body>
</html>
4 Likes

-GET
Should be:
--get
OR just:
-G

-GET equals:
-G -E -T

3 Likes

OK guys, thanks to your messages I've been able to determine that the issue exists only within my local network.

I didn't suspect that because all my tests with wget and curl have been performed using an EC2 linux machine on AWS, therefore outside the local network where the raspberry is.

But as soon as I read your message, I realized that the issue was real for me only: maybe that machine has an outdated CA certificates database, I haven't check it yet.

Now I need to discover what is changed in my local network in the last days: I suspect that my ISP has sent a firmware update to my router that caused the trouble, I'll check.

Side note: I ever used curl -GET :open_mouth: Thanks @rg305 and @MikeMcQ for pointing out that error.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.