Different expiry dates shown for generated privkey.pem, fulchain.pem ,chain.pem,cert.pem

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:domain.com

I ran this command: sudo certbot certonly --standalone --preferred-challenges http -d domain.com

It produced this output:
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/domain.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/domain.com/privkey.pem
    Your cert will expire on 2021-08-12. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version):apache12

The operating system my web server runs on is (include version):ubuntu 12

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Could you perhaps please elaborate on what exactly the issue is? Because frankly, I don't understand your thread..

3 Likes
3

Hi @snmore, and welcome to the LE community forum :slight_smile:

TOPIC:
"Different expiry dates shown for generated privkey.pem, fulchain.pem ,chain.pem,cert.pem"

Where are you seeing those expiry dates?

4

i am using this cmd to check expiry details.
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/fullchain.pem

I am trying to renew certs and the expiry date for fullchain.pem shows 12th aug and for privkey.pem it shows expired .
"unable to load and privkey.pem expired"

5

Private keys such as privkey.pem don't have an expiry date?

2 Likes
6

The error message is misleading.
In your command, where do you point it to the private key?
If it is only given the fullchain file, and requires the private key, it may fail.
[that said, be very careful with any unknown script that requires access to your private key file]

1 Like
7

it just shows expired

8

What's that tool anyway? I've never heard of it. In any case, if it says a private key has expired, it's a buggy application.

9

it just shows expired

image
image1571×372 191 KB

10

As I said before, if it says a private key has expired, it's a buggy tool: a private key CANNOT expire.. It does NOT have an expiry date.

Also, if it's the following tool: GitHub - Matty9191/ssl-cert-check: Send notifications when SSL certificates are about to expire.

The -c option is to be used for certificates. It should not be used to input private keys into the application. I.e.: garbage in, garbage out. Although the tool probably should have more user input checking and error out with a message to the user that it should provide a certificate and not a private key.

1 Like
11

i installed it using apt-get ssl-cert-check, read on some article on stackoverflow

12

You are only pointing to one file.
A certificate is comprised of, at least, two files (when in .pem format):

  • a private key
  • a publicly signed cert

I don't know how the script works, but it seems to fail when only one file is given.
OR
It fails even when the correct file is given (fullchain.pem).
In this case, it is likely due to the local certificate store being out-of-date.

13 
ssl-cert-check
Usage: /usr/bin/ssl-cert-check [ -e email address ] [-E sender email address] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-N] [-v]
       { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c cert file ] } || { [ -d cert dir ] }

  -a                : Send a warning message through E-mail
  -b                : Will not print header
  -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
  -d cert directory : Print the expiration date for the PEM or PKCS12 formatted certificates in cert directory
  -e E-mail address : E-mail address to send expiration notices
  -E E-mail sender  : E-mail address of the sender
  -f cert file      : File with a list of FQDNs and ports
  -h                : Print this screen
  -i                : Print the issuer of the certificate
  -k password       : PKCS12 file password
  -n                : Run as a Nagios plugin
  -N                : Run as a Nagios plugin and output one line summary (implies -n, requires -f or -d)
  -p port           : Port to connect to (interactive mode)
  -s commmon name   : Server to connect to (interactive mode)
  -t type           : Specify the certificate type
  -q                : Don't print anything on the console
  -v                : Specify a specific protocol version to use (tls, ssl2, ssl3)
  -V                : Only print validation data
  -x days           : Certificate expiration interval (eg. if cert_date < days)
14 
ssl-cert-check -c fullchain.pem

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
FILE:fullchain.pem                              Valid        Oct 22 2021  78

It works for me!

15

yes when checked with fullchain it works fine
I am getting error while renewing certs , and thats why i was checking if any pem file got expired

getting following error
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: domain.com
    Type: connection
    Detail: Fetching
    Website Domain Names, Online Stores & Hosting | Domain.com
    Timeout during connect (likely firewall problem)
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
16

You can also do that with:
certbot certificates

As for the failure, try running certbot with -v, -vv, or -vvv until you see enough of a clue as to why it fails.
Feel free to post the LE logs here if you can't make heads/tails of the entries.

17

But your first post shows a successful renewal? :question:

Also note that as the questionnair already said, your real domain name is required to get help on this Community.

1 Like
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.