Certificate renewed but https fails


#1

When I look at
https://crt.sh/?CN=srac.org.uk

it lists 8 certificates. 1 has expired. The rest all came from trying to renew and all look as if they should be valid (going by dates). Details from the first are:

   Issuer:
        commonName                = Let's Encrypt Authority X3
        organizationName          = Let's Encrypt
        countryName               = US
    Validity
        Not Before: Jan 24 19:22:00 2017 GMT
        Not After : Apr 24 19:22:00 2017 GMT
    Subject:
        commonName                = srac.org.uk

However when I go to srac.org.uk I get the not secure warning.

I have tried getting help from my service provider but they are not providing any useful help.

Please fill out the fields below so we can help you better.

My domain is:
srac.org.uk
I ran this command:

It produced this output:

My operating system is (include version):
Windows
My web server is (include version):

My hosting provider, if applicable, is:
Netcetera
I can login to a root shell on my machine (yes or no, or I don’t know):
No
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes


#2

How did you renew the certificate? How did you “install” the first certificate?


#3

Service provider has a Lets Encrypt button that allows an install or renew option (via Plesk I think)


#4

Maybe it did renew but did not restart the web server ???


#5

If pushing that button doesn’t work and you don’t have any other option for renewal, you probably need to contact your service provider… Not anything we can magically do about it :wink:


#6

Believe me I’m trying! I was hoping you may be able to confirm whether or not you agree the certificate info looks valid to you.

For info:
Last reply from service provider said I had hit the 20 requests per week limit. However, as I only have 8 listed at https://crt.sh/?CN=srac.org.uk I’m
a) assuming thats confirmation I haven’t hit the 20 requests limit (based on the lets encrypt limit info page)
b) even if I had hit a requests limit, that doesn’t explain why the certificate(s) that appear to be in date are not working.

I don’t seem to have access to restart webserver, so I’ll see if I can get the service provider to do that …


#7

ISP restarted the web service but it has not helped.

I would be grateful if you could help me understand how Lets Encrypt works so I can understand whats going wrong.

History is:
I had a certificate that was close to expiring. I tried renewing. after an apparently successful renewal, analyzing (with https://www.ssllabs.com/ssltest/analyze.html?d=srac.org.uk) showed same expiry.
The day before expiry I tried several times to renew, not realising there was any limit on it.
So now my certificate has expired and I think I may have triggered a rate limit.

Having found out about crt.sh I can now see the list of certificates. The first one has expired. One was logged in January, then 6 were logged yesterday (am I right this would trigger the rate limit for max 5 unique requests per 7 days).

So, I can understand if I can now not create a new cert for a few days - but I cannot understand why the cert created in Jan is not working. Could triggering a rate limit have affected this? Or does it mean there is some other issue stopping the cert being used? Is there any way for me to find out if the non expired certs have any problems?

The ISP is seeing the following
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains:

ISP says:
The website has got too many request for certificate (20 attempts per 1 week per one main domain) , and that’s the reason the SSL is not getting renewed.

However looking at the Lets Encrypt Rate Limit help, if I hit the 20 limit, crt.sh can be used to get a list. And as that has only 9 on the list I am assuming its not the 20 limit I have hit. Otherwise if it were the 20 limit I’d hit, I would still be able to perform a renewal, right?

Sorry for all the questions & any help gratefully received.

This project sounds great and one I’d like to be able to recommend to others. Hence the reason I’m quite keen to understand it properly.


#8

You’ve hit the Duplicate Certificate rate limit. See for more info: https://letsencrypt.org/docs/rate-limits/

There isn’t any problem with Let’s Encrypt, as you can see at crt.sh: you’ve got many certificates issued, but for some reason the webserver keeps using the old one.

If you don’t have any access to how the webserver uses which certificate, you should file a ticket (or mail or whatever) at your service provider and ask why the renewal button is broken.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.