Certificate renewed with success but still appears as expired

#1

Hi, there still is a delta between public cert status and the one on my mail server, which cert rewal was done successfully.

The original purpose was to revoke/delete an old cert with several domains and replace it with one unique cert for only one domain. Then something went messy.

root@mackerel ~ # certbot renew --force-renewal --cert-name mail.crypteo.org-0002
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.crypteo.org-0002.conf
-------------------------------------------------------------------------------
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.crypteo.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0060_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0060_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/mail.crypteo.org-0002/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mail.crypteo.org-0002/fullchain.pem (success)

Compare now with the status on this page from Comodo : https://crt.sh/?Identity=%mail.crypteo.org&iCAID=16418 where it appears as expired

How can I fix that hellish problem ? I’m running out of ideas.

#2

Hi,

If you are using a mail server, please notice that Mail servers will not be configured automatically to server new certificates.

Also, in your case, you’ll need to dig in to the configuration file of your mail server, and change the certificate path / keys to reflect your new certificate, then reload your mail server.

Thank you

1 Like
#3

crt.sh has a backlog and isn’t instant: if you get a new certificate, it takes time to have it shown on crt.sh. Currently, there are two pre-certificate (b/c of certificate transparancy log stamps) logged.

Also, the crt.sh doesn’t actually reflect the actual status of your server: it just shows logged certificates. As @stevenzhu already points out, you already have valid certificates issued (twice), as the certbot output also tells you: it succeeded and gratulates you for this.

Just use the certificate you already got and you’ll be fine.

1 Like
#4

Hi @rvi

checking this domain there is a valide certificate, created today ( https://check-your-website.server-daten.de/?q=mail.crypteo.org ):

CN=mail.crypteo.org
	26.02.2019
	27.05.2019
expires in 90 days	mail.crypteo.org - 1 entry

So your server shows already the new certificate.

Perhaps your mail server needs some additional steps.

1 Like
#5

Thanks guys for your quick and great answers!
I’ll dig into my mail server configuration for any mistake.

closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.