Different expiry dates shown for generated privkey.pem, fulchain.pem ,chain.pem,cert.pem

snmore · August 5, 2021, 1:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:domain.com

I ran this command: sudo certbot certonly --standalone --preferred-challenges http -d domain.com

It produced this output:
IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-08-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version):apache12

The operating system my web server runs on is (include version):ubuntu 12

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Osiris · August 5, 2021, 4:53pm

Could you perhaps please elaborate on what exactly the issue is? Because frankly, I don't understand your thread..

rg305 · August 5, 2021, 7:37pm

Hi @snmore, and welcome to the LE community forum

TOPIC:
"Different expiry dates shown for generated privkey.pem, fulchain.pem ,chain.pem,cert.pem"

Where are you seeing those expiry dates?

snmore · August 5, 2021, 7:52pm

i am using this cmd to check expiry details.
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/fullchain.pem

I am trying to renew certs and the expiry date for fullchain.pem shows 12th aug and for privkey.pem it shows expired .
"unable to load and privkey.pem expired"

Osiris · August 5, 2021, 7:53pm

Private keys such as privkey.pem don't have an expiry date?

rg305 · August 5, 2021, 7:54pm

The error message is misleading.
In your command, where do you point it to the private key?
If it is only given the fullchain file, and requires the private key, it may fail.
[that said, be very careful with any unknown script that requires access to your private key file]

snmore · August 5, 2021, 8:08pm

it just shows expired

Osiris · August 5, 2021, 8:09pm

What's that tool anyway? I've never heard of it. In any case, if it says a private key has expired, it's a buggy application.

snmore · August 5, 2021, 8:11pm

it just shows expired

Osiris · August 5, 2021, 8:12pm

As I said before, if it says a private key has expired, it's a buggy tool: a private key CANNOT expire.. It does NOT have an expiry date.

Also, if it's the following tool: GitHub - Matty9191/ssl-cert-check: Send notifications when SSL certificates are about to expire.

The -c option is to be used for certificates. It should not be used to input private keys into the application. I.e.: garbage in, garbage out. Although the tool probably should have more user input checking and error out with a message to the user that it should provide a certificate and not a private key.

snmore · August 5, 2021, 8:12pm

i installed it using apt-get ssl-cert-check, read on some article on stackoverflow

rg305 · August 5, 2021, 8:15pm

You are only pointing to one file.
A certificate is comprised of, at least, two files (when in .pem format):

a private key
a publicly signed cert

I don't know how the script works, but it seems to fail when only one file is given.
OR
It fails even when the correct file is given (fullchain.pem).
In this case, it is likely due to the local certificate store being out-of-date.

rg305 · August 5, 2021, 8:18pm

ssl-cert-check
Usage: /usr/bin/ssl-cert-check [ -e email address ] [-E sender email address] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-N] [-v]
       { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c cert file ] } || { [ -d cert dir ] }

  -a                : Send a warning message through E-mail
  -b                : Will not print header
  -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
  -d cert directory : Print the expiration date for the PEM or PKCS12 formatted certificates in cert directory
  -e E-mail address : E-mail address to send expiration notices
  -E E-mail sender  : E-mail address of the sender
  -f cert file      : File with a list of FQDNs and ports
  -h                : Print this screen
  -i                : Print the issuer of the certificate
  -k password       : PKCS12 file password
  -n                : Run as a Nagios plugin
  -N                : Run as a Nagios plugin and output one line summary (implies -n, requires -f or -d)
  -p port           : Port to connect to (interactive mode)
  -s commmon name   : Server to connect to (interactive mode)
  -t type           : Specify the certificate type
  -q                : Don't print anything on the console
  -v                : Specify a specific protocol version to use (tls, ssl2, ssl3)
  -V                : Only print validation data
  -x days           : Certificate expiration interval (eg. if cert_date < days)

rg305 · August 5, 2021, 8:19pm

ssl-cert-check -c fullchain.pem

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
FILE:fullchain.pem                              Valid        Oct 22 2021  78

It works for me!

snmore · August 5, 2021, 8:22pm

yes when checked with fullchain it works fine
I am getting error while renewing certs , and thats why i was checking if any pem file got expired

getting following error
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

The following errors were reported by the server:
Domain: domain.com
Type: connection
Detail: Fetching
Website Domain Names, Online Stores & Hosting | Domain.com
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

rg305 · August 5, 2021, 8:24pm

You can also do that with:
certbot certificates

As for the failure, try running certbot with -v, -vv, or -vvv until you see enough of a clue as to why it fails.
Feel free to post the LE logs here if you can't make heads/tails of the entries.

Osiris · August 5, 2021, 8:29pm

But your first post shows a successful renewal?

Also note that as the questionnair already said, your real domain name is required to get help on this Community.

system · September 4, 2021, 8:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.