Check TLS validation issue - future dated not before expiration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail01.postbox.net.nz

I ran this command: certbot renew

It produced this output:
You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.


Processing /etc/letsencrypt/renewal/mail01.postbox.net.nz.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail01.postbox.net.nz
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/mail01.postbox.net.nz/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail01.postbox.net.nz/fullchain.pem (success)
Certs updated…

My web server is (include version): apache 2.2.2

The operating system my web server runs on is (include version): Ubuntu 12.04.4 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

DETAILS:::::::
The certificate updated correctly.
On opening an https page the certificate date_not_before reads:
Thursday, 1 February 2018, 1:00:42 PM
(Thursday, 1 February 2018, 12:00:42 AM GMT)

The date after reads
Wednesday, 2 May 2018, 12:00:42 PM
(Wednesday, 2 May 2018, 12:00:42 AM GMT)

Local server time reads:
Fri Feb 2 15:27:33 NZDT 2018
but was closer to 15:00 when the renewal happened.

https://www.checktls.com/perl/live/TestReceiver.pl tells me the cert is expired
EXPIRED: Certificate 1 of 3 in chain:
serialNumber= 03:fb:0a:ce:aa:e5:55:09:13:c9:8e:d4:15:34:e7:b4:c7:db
subject= /CN=mail01.postbox.net.nz

Running a cert detail test tells me:
Validity:
Not Before: Feb 2 06:06:35 2018 GMT
Not After : May 3 07:06:35 2018 GMT
Subject:
commonName = mail01.postbox.net.nz

Basically the certificate before is presenting as not being allowed for another 12 hours or so ( we are GMT + 12)

Is this an issue with checktls.com or my server?

TIA

shane

Are you sure about this? Let's Encrypt did not issue any certificates for mail01.postbox.net.nz with that notBefore.

https://crt.sh/?q=mail01.postbox.net.nz

What was the actual domain/email you used on that checktls.com test?

shane@virusbusters.co.nz is the test email - it is hosted on that server.

The crt.sh shows this entry:
318827852 2018-02-02 2018-02-02 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

I am beginning to think it is an issue with the checktls site - Just ran it through mxtoolbox and another end to end mail checker - smtp perfect. Ran it through a tls https / port 443 check and they came back as okay. Possibly the checktls site is reporting the date wrong or not taking utc vs non utc into account.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.