Error: Certificate expired

steki · June 17, 2022, 11:22pm

the person who installed the certificate is not avaliable anymore.
in the past the certifacat renewed every 3 month, i dont know why this stopped yerterday.

My domain is: https://ticket.sk-software.de

accessing the webseite shows an error "not safe"

NET::ERR_CERT_DATE_INVALID
Subject: ticket.sk-software.de
Issuer: R3
Expires on: 16.06.2022
Current date: 17.06.2022
PEM encoded chain:

I ran this command: nothing yet

It produced this output:

My web server is (include version): apache

The operating system my web server runs on is (include version): debian 4.9.0-14

My hosting provider, if applicable, is: hetzner.de

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
i dont know

thankful for any help
Stefan

9peppe · June 18, 2022, 11:28am

Then you should be able to check your apache config and discover where the certificate is saved on your filesystem. That should give some hints as for what the acme client is.

steki · June 19, 2022, 1:25pm

Thanks for your reply.

i found in etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

but i dont know how to identify the acme client

9peppe · June 19, 2022, 1:39pm

run
certbot certificates
and
grep -ir letsencrypt /etc/apache2

steki · June 19, 2022, 1:44pm

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certs found.

grep -ir letsencrypt /etc/apache2
/etc/apache2/conf-enabled/acme.conf:Alias "/.well-known/acme-challenge" "/var/www/letsEncryptChallenges/.well-known/acme-challenge"
/etc/apache2/conf-enabled/acme.conf:<Directory "/var/www/letsEncryptChallenges/.well-known/acme-challenge">

Osiris · June 19, 2022, 2:08pm

So it looks like Certbot is installed, but not used.. So probably a different ACME client is in use.

I'm more interested to see the results of the command:

grep -ir sslcertificate /etc/apache2

steki · June 19, 2022, 2:09pm

/etc/apache2/sites-enabled/35_froxlor_ssl_vhost_ticket.sk-software.de.conf: SSLCertificateFile /etc/ssl/froxlor-custom/ticket.sk-software.de.crt
/etc/apache2/sites-enabled/35_froxlor_ssl_vhost_ticket.sk-software.de.conf: SSLCertificateKeyFile /etc/ssl/froxlor-custom/ticket.sk-software.de.key
/etc/apache2/sites-enabled/35_froxlor_ssl_vhost_ticket.sk-software.de.conf: SSLCertificateChainFile /etc/ssl/froxlor-custom/ticket.sk-software.de_chain.pem
/etc/apache2/sites-enabled/35_froxlor_ssl_vhost_artfilo34.de.conf: SSLCertificateFile /etc/ssl/froxlor-custom/artfilo34.de.crt

steki · June 19, 2022, 2:37pm

any idea, what to check next?

MikeMcQ · June 19, 2022, 2:53pm

Well, there's good news and bad news.

Good news is we now know you are using the Froxlor control panel to manage your Let's Encrypt certs.

Bad news is we rarely see problems with that on this community. I personally know nothing about it and their docs were not helpful. In fact, their docs section on "SSL" was empty.

Maybe another volunteer will know more about Froxlor. Or, try contacting the authors of that directly. Their github and main websites are below. Or, contact your hosting provider if they provided Froxlor as part of their package.

steki · June 19, 2022, 2:56pm

Does it make sense to change the client. i don't hat to administer the ssl cert with froxlor. i am more interested in getting a running https connection

MikeMcQ · June 19, 2022, 3:05pm

I don't know. Sometimes control panels want to manage the entire server config and making manual changes with another client can make things worse. Other times it can work fine. I personally don't know Froxlor enough to say.

That's probably a better question for Froxlor experts / users on their github or website.

steki · June 19, 2022, 3:06pm

thanks for your help so far

steki · June 19, 2022, 3:19pm

froxlor uses this client
/etc/cron.d # ~/.acme.sh/acme.sh --version

v3.0.5

would this be helpful?

Osiris · June 19, 2022, 3:30pm

I agree with @MikeMcQ: if you're administrating your websites using Froxlor, I wouldn't manually mess with the Apache configuration files. It could potentially lead to a totally messed up Froxlor.

As Mike I'm also not familiar with Froxlor. Frankly, I've never heard of it. It also seems you're not the only one with this issue: Check certificate for expiration · Issue #1035 · Froxlor/Froxlor · GitHub

Personally, I would hesitate to use such an undocumented software project.

steki · June 19, 2022, 3:34pm

i understand your arguments, but the froxlor group says that is not a froxlor thing, because they only call the acme client

acme.sh --renew -d mydomain1.xxx --server letsencrypt

Osiris · June 19, 2022, 3:36pm

Nonetheless, they should be the persons who can provide you with help on how to decently debug this issue. Does Froxlor log the output of acme.sh? If so, where? Et cetera. We don't have a clue

Froxlor is the front-end of acme.sh. It's kinda lame to throw your issue over the fence and say "It's not our problem!".. Acme.sh a tool used directly by Froxlor so Froxlor should provide enough support on how to handle this. Froxlor is handeling (or should) the renewals, Froxlor is handeling the webserver, Froxlor is doing everything, even if it's just delegating.

MikeMcQ · June 19, 2022, 3:58pm

Adding on to Osiris comment, @steki refer back to your post #7. It shows the certs and server config files in Froxlor specific folders. They set up a custom configuration.

If you can show us the error issued by the Let's Encrypt servers we could maybe help. If there are any they should be in the Froxlor or acme.sh logs. But, errors can occur within either of those systems too. It might not have anything to do with Let's Encrypt specifically.

I don't see anything obviously wrong with the connection to your server. And, the Let's Debug test site sees it ok too.

If your hosting provider included Froxlor with your package they should be able to help.

steki · June 19, 2022, 5:58pm

Thank you for your patience

the reason i'm continue asking here is, that the service stopped working on 17.06.2022 and
~/.acme.sh/acme.sh --list tells me

Main_Domain KeyLength SAN_Domains CA Created Renew
meet.sk-software.de "4096" no LetsEncrypt.org Sun Apr 17 22:25:19 UTC 2022 2022-06-16T22:25:19Z
notify.galerie-admin.de "4096" no LetsEncrypt.org Sun Apr 17 22:25:31 UTC 2022 2022-06-16T22:25:31Z

so i thought it had something to do with the renew process

if i run
~/.acme.sh/acme.sh --renew -d wiki.galerie-admin.de --server letsencrypt

i get

[Sun Jun 19 18:39:15 CEST 2022] Renew: 'tools.artfil34.de'
[Sun Jun 19 18:39:15 CEST 2022] 'tools.artfil34.de' is not an issued domain, skip.
2 root@galerie-admin /etc/cron.d # ~/.acme.sh/acme.sh --renew -d wiki.galerie-admin.de --server letsencrypt
[Sun Jun 19 18:39:52 CEST 2022] Renew: 'wiki.galerie-admin.de'
[Sun Jun 19 18:39:52 CEST 2022] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sun Jun 19 18:39:53 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jun 19 18:39:53 CEST 2022] Creating domain key
[Sun Jun 19 18:39:54 CEST 2022] The domain key is here: /root/.acme.sh/wiki.galerie-admin.de/wiki.galerie-admin.de.key
[Sun Jun 19 18:39:54 CEST 2022] Single domain='wiki.galerie-admin.de'
[Sun Jun 19 18:39:54 CEST 2022] Getting domain auth token for each domain
[Sun Jun 19 18:39:56 CEST 2022] Getting webroot for domain='wiki.galerie-admin.de'
[Sun Jun 19 18:39:56 CEST 2022] Verifying: wiki.galerie-admin.de
[Sun Jun 19 18:39:57 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Sun Jun 19 18:40:02 CEST 2022] Pending, The CA is processing your order, please just wait. (2/30)
[Sun Jun 19 18:40:05 CEST 2022] Pending, The CA is processing your order, please just wait. (3/30)
[Sun Jun 19 18:40:09 CEST 2022] Success
[Sun Jun 19 18:40:09 CEST 2022] Verify finished, start to sign.
[Sun Jun 19 18:40:09 CEST 2022] Lets finalize the order.
[Sun Jun 19 18:40:09 CEST 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/97618304/99200566676'
[Sun Jun 19 18:40:11 CEST 2022] Downloading cert.
[Sun Jun 19 18:40:11 CEST 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0374461ff9ebadbbb3467a8aeb8ad6923870'
[Sun Jun 19 18:40:12 CEST 2022] Cert success.

MikeMcQ · June 19, 2022, 6:41pm

That's wonderful. You successfully got a cert using acme.sh. That shows it can work and that Let's Encrypt has no problem with your server or domain name.

But, acme.sh placed the cert files in its own folder structure. Your server was configured by Froxlor to get the certs from Froxlor's configuration folders.

I am hesitant to make suggestions other than to discuss with Froxlor. Making manual changes to their configuration can result in poor results going forward.

UPDATE: I just realized you got a cert for a different domain than you showed in prior posts. So, what I just said applies to your wiki domain name, not your ticket domain.

Osiris · June 19, 2022, 7:10pm

How can acme.sh even """renew""" a certificate it didn't know before?

Topic		Replies	Views
Certificate expired, can't renew Help	8	1286	June 3, 2021
Suddenly acme-challenge Invalid response Help	27	7857	June 25, 2020
Certbot, certificate verify failed Help	18	2592	April 8, 2022
How to Figure Out Which Certicate is Expired and Renew It Help	11	2248	December 22, 2021
Installation to site with Apache built from source Help	16	3059	July 5, 2018

Error: Certificate expired

Related topics