Certificate reports expired on server websites but still valid on Ubuntu server

ianweatherburn · October 4, 2022, 9:49am

WebServer unable to provide an https connection.
Certificate reports as:
rslothlorien.ddns.net
Issued By: R3
Expired: Sunday, 01 October 2022 at 12:12:37 South Africa Standard Time
'rslothlorien.ddns.net' certificate has expired

sudo certbot certificates
reports

Found the following certs:
Certificate Name: rslothlorien.ddns.net
Serial Number: 3b3ff13eede8259c9e79b18a6474a75e2f0
Key Type: RSA
Domains: rslothlorien.ddns.net
Expiry Date: 2022-11-30 11:32:07+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/rslothlorien.ddns.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rslothlorien.ddns.net/privkey.pem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rslothlorien.ddns.net

I ran this command:
sudo certbot renew

It produced this output:
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/rslothlorien.ddns.net/fullchain.pem expires on 2022-11-30 (skipped)
No renewals were attempted.

My web server is (include version):
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2022-06-14T12:30:21

The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
cerbot 1.21.0

griffin · October 4, 2022, 10:13am

Welcome to the Let's Encrypt Community, Ian!

sudo apachectl -k graceful

ianweatherburn · October 4, 2022, 10:16am

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 45.158.186.132. Set the 'ServerName' directive globally to suppress this message

griffin · October 4, 2022, 10:17am

ianweatherburn · October 4, 2022, 10:19am

Webmin
https://rslothlorien.ddns.net:10000/

Why when I include the port am I not getting an SSL connection?
NET::ERR_CERT_DATE_INVALID

griffin · October 4, 2022, 10:21am

I suspect that your Apache VirtualHost for that port is pointing to the wrong certificate.

sudo apachectl -S

ianweatherburn · October 4, 2022, 10:23am

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 45.158.186.132. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 rslothlorien.ddns.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:3)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

ianweatherburn · October 4, 2022, 10:24am

SSLCertificateFile /etc/letsencrypt/live/rslothlorien.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rslothlorien.ddns.net/privkey.pem

griffin · October 4, 2022, 10:28am

So it's not Apache serving on port 10000:

Server: MiniServ/2.000

You need to change that configuration to point to the live certificate, not a specific, archived certificate.

ianweatherburn · October 4, 2022, 10:30am

Was doing ok following up to now. This is over my head. Webmin running on Port 10000. Where is that change required?

griffin · October 4, 2022, 10:30am

Pretty sure this is where you need to operate:

ianweatherburn · October 4, 2022, 10:31am

Sorry that was my mistake. Webmin running on port 10000

griffin · October 4, 2022, 10:33am

ianweatherburn · October 4, 2022, 10:34am

Hmmm thanks. The certificate was installed but now showing as expired. Need to use the valid certificate that is on Apache?

griffin · October 4, 2022, 10:35am

Correct. Webmin has an old certificate installed. It doesn't automatically update when installed manually.

ianweatherburn · October 4, 2022, 10:36am

How do I update that via the command line (no GUI access due to cert issue)

griffin · October 4, 2022, 10:39am

https://www.digicert.com/kb/ssl-certificate-installation-webmin.htm

ianweatherburn · October 4, 2022, 10:39am

Thank you. Reading....

griffin · October 4, 2022, 10:41am

Personally, I would point your configuration in miniserv.conf to your live certificate. This may help:

ianweatherburn · October 4, 2022, 10:42am

Yes agreed, this is what I want to do

Topic		Replies	Views
Certificate Expired Now What Help	23	11583	November 3, 2017
Expired certificate Help	11	3297	February 26, 2022
Certificate renewed but expired one is being used Help	3	542	November 3, 2019
Renewed certificate ok on server but expired on client machine Help	5	564	December 30, 2022
Renewed certificate but still using expired Help	9	1052	June 27, 2019

Certificate reports expired on server websites but still valid on Ubuntu server

Related topics