Certificate remains expired after re-issuance


#1

Each time I try to re-issue the certificate, it comes back as invalid, expired in August. Is there still an issue?


Error: Could not issue a Let's Encrypt SSL/TLS certificate for (domain)
#2

Hi @gardfish,

I split this reply off of the previous post because it is unrelated to the incident mentioned in the previous thread.

Can you provide answers to the default “Help” template? It will help the community figure out the root cause of your problem.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

Thanks for splitting the post. Here are the details:

My domain is:
oame.on.ca

I ran this command:
sudo ./certbot-auto

It produced this output:


Congratulations! You have successfully enabled https://www.oame.on.ca and
https://oame.on.ca

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.oame.on.ca
https://www.ssllabs.com/ssltest/analyze.html?d=oame.on.ca


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.oame.on.ca/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.oame.on.ca/privkey.pem
    Your cert will expire on 2019-02-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


My web server is (include version):
Server version: Apache/2.4.34 (Amazon)

The operating system my web server runs on is (include version):
Amazon Linux AMI release 2018.03

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel

Thanks!


#4

Thanks for splitting the post.

My domain is:
oame.on.ca

I ran this command:
sudo certbot-auto

It produced this output:


Congratulations! You have successfully enabled https://www.oame.on.ca and
https://oame.on.ca

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.oame.on.ca
https://www.ssllabs.com/ssltest/analyze.html?d=oame.on.ca


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.oame.on.ca/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.oame.on.ca/privkey.pem
    Your cert will expire on 2019-02-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


My web server is (include version):
Server version: Apache/2.4.34 (Amazon)

The operating system my web server runs on is (include version):
Amazon Linux AMI release 2018.03

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel.

Thanks!


#5

Hi @gardfish

your configuration ( https://check-your-website.server-daten.de/?q=oame.on.ca ):

http://oame.on.ca/ 301 https://oame.on.ca/ 0.504 A
http://www.oame.on.ca/ 301 https://www.oame.on.ca/ 0.343 A
https://oame.on.ca/ 200 2.176 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://www.oame.on.ca/ 200 2.450 B

Your www-version is ok

oame.on.ca 443 Certificate/chain invalide and wrong name Tls12 ECDH Ephermal 256 Aes256 256 Sha384 not supported ok
www.oame.on.ca 443 ok Tls12 DiffieHellman 2048 Aes128 128 Sha256 not supported ok

But your non-www - version uses a self signed certificate, which is expired.

So you should create one certificate with two domain names - www + non-www.

sudo certbot-auto renew -d oame.on.ca -d www.oame.on.ca

If that doesn’t work, share your configuration file. Or share your file

/var/log/letsencrypt/letsencrypt.log

there are the details of your configuration.


#6

PS: You have already such a certificate, created today.

https://crt.sh/?id=990807922

X509v3 Subject Alternative Name:
DNS:oame.on.ca
DNS:www.oame.on.ca

So don’t create a new certificate, instead check your configuration. So the non-www version use this certificate.


#7

Thanks JuergenAuer,

In theory they should both be using the same certificate as www.oame.on.ca is just an alias for oame.on.ca

<VirtualHost *:443>

ServerAdmin aws@oame.on.ca

DocumentRoot /var/www/html

ServerName oame.on.ca

ServerAlias www.oame.on.ca

ErrorLog logs/error_log

CustomLog logs/access_log common

RewriteEngine on

// Some rewrite rules in this file were disabled on your HTTPS site,

// because they have the potential to create redirection loops.

// RewriteCond %{SERVER_NAME} =www.oame.on.ca [OR]

// RewriteCond %{SERVER_NAME} =oame.on.ca

// RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/www.oame.on.ca/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/www.oame.on.ca/privkey.pem

</VirtualHost>

Would you recommend that I split them out into separate VirtualHosts?


#8

Now my online tool has the correct certificate (www-version) with two domain names.

CN=www.oame.on.ca
30.11.2018
28.02.2019
oame.on.ca, www.oame.on.ca - 2 entries

But the non-www version uses the self signed.

Self signed certificates are often found in the standard configuration file. Are there other configuration files with VirtualHost - elements?

Normally such a configuration should work. But you can try it. Two separate files with two separate VirtualHosts, but with the same certificate.


#9

I appreciate your time on this JuergenAuer. You were exactly right. I found the default ssl.conf configuration in the conf.d folder and was able to identify the VirtualHost that was causing the issue.

Thank you so much!


#10

Happy to read that. Now it looks good:


And both connections are using the same certificate with two domain names.