Error message even if the certificate is validated

Help
1

Hello,

My domain is: up2school.com

I ran this command: I follow these instructions : Certbot Instructions | Certbot

It produced this output:
The certificate seems to be valid for 90 days. It is written as valid until December 4th most of the time I go on the site. But sometimes I still get an error message on my site ("NET::ERR_CERT_DATE_INVALID")

What could be the cause of this?

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

Thank you very much for your help.

Regards.

2

Welcome to the community @Sacha

This is often because the date/time of your machine has the wrong date

But, I also see your Apache server is sometimes sending out a wrong cert. Sometimes it sends one with up2school.com and your www domain that is expired. Other times it sends a current cert with only the up2school.com name in it.

To know how to proceed we need to know what you have. Let's take a look at your Apache config and what certbot has done. Please show output of these two commands:

sudo certbot certificates
sudo apachectl -t -D DUMP_VHOSTS

Please place 3 backticks before and after the output like:
```
output
```

5 Likes
3

Hello @MikeMcQ
Thnak you for your reply and for spending time to help me.

Found the following certs:
  Certificate Name: mavilledereve.com
    Serial Number: 32668ebf7d10debce6a311cb6d67ea3055c
    Key Type: RSA
    Domains: mavilledereve.com wp.mavilledereve.com
    Expiry Date: 2021-06-23 11:55:10+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/mavilledereve.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mavilledereve.com/privkey.pem
  Certificate Name: old.up2school.com
    Serial Number: 4cc7a44397f3a5f56b4d375599ddfe31166
    Key Type: RSA
    Domains: old.up2school.com
    Expiry Date: 2022-11-13 06:30:07+00:00 (VALID: 67 days)
    Certificate Path: /etc/letsencrypt/live/old.up2school.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/old.up2school.com/privkey.pem
  Certificate Name: preprod-bac.up2school.com
    Serial Number: 3417388edfd670478e905531f33aa196654
    Key Type: RSA
    Domains: preprod-bac.up2school.com
    Expiry Date: 2022-06-21 11:49:34+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/preprod-bac.up2school.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/preprod-bac.up2school.com/privkey.pem
  Certificate Name: up2school.com-0001
    Serial Number: 4623db9d8a1a0b13b8a2d663ab80eb10938
    Key Type: RSA
    Domains: up2school.com
    Expiry Date: 2022-12-04 12:30:51+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/up2school.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/up2school.com-0001/privkey.pem
  Certificate Name: up2school.com
    Serial Number: 3a8ee0f5723ab9309c0ddfeb36f51cc1147
    Key Type: RSA
    Domains: up2school.com www.up2school.com
    Expiry Date: 2022-10-25 21:32:49+00:00 (VALID: 49 days)
    Certificate Path: /etc/letsencrypt/live/up2school.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/up2school.com/privkey.pem
  Certificate Name: up2school.fr
    Serial Number: 3763e1989c49ad1feba2f3c267de70c98de
    Key Type: RSA
    Domains: up2school.fr www.up2school.fr
    Expiry Date: 2022-10-16 21:28:12+00:00 (VALID: 40 days)
    Certificate Path: /etc/letsencrypt/live/up2school.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/up2school.fr/privkey.pem
  Certificate Name: wp.mavilledereve.com
    Serial Number: 3ed623e03eb66b7273be21fbae9e05ebb7e
    Key Type: RSA
    Domains: wp.mavilledereve.com
    Expiry Date: 2022-10-23 06:29:46+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/wp.mavilledereve.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wp.mavilledereve.com/privkey.pem

And the second one:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server old.up2school.com (/etc/apache2/sites-enabled/preprod-bac.up2school.com-le-ssl.conf:2)
         port 443 namevhost old.up2school.com (/etc/apache2/sites-enabled/preprod-bac.up2school.com-le-ssl.conf:2)
         port 443 namevhost up2school.com (/etc/apache2/sites-enabled/up2school-le-ssl.conf:2)
                 alias www.up2school.com
         port 443 namevhost up2school.fr (/etc/apache2/sites-enabled/up2school.fr-le-ssl.conf:2)
                 alias www.up2school.fr
         port 443 namevhost wp.mavilledereve.com (/etc/apache2/sites-enabled/villedereve-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server vps-991e8f9b.vps.ovh.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost vps-991e8f9b.vps.ovh.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost old.up2school.com (/etc/apache2/sites-enabled/preprod-bac.up2school.com.conf:1)
         port 80 namevhost up2school.com (/etc/apache2/sites-enabled/up2school.conf:2)
                 alias www.up2school.com
         port 80 namevhost wp.mavilledereve.com (/etc/apache2/sites-enabled/villedereve.conf:1)
1 Like
4

Thanks. That doesn't look so bad :slight_smile:

What is in this file? Please use 3 backticks again

3 Likes
5 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName up2school.com
    ServerAlias www.up2school.com
    ServerAdmin alexis@2empower.com
    DocumentRoot "/var/www/up2school/public"

    RedirectMatch 301 /fr/article/classements/classement-ecoles-de-commerce-2021-american-dream/ https://up2school.com/masters/classement/classement-ecoles-commerce-2021-nasdaq-american-dream/
    RedirectMatch 301 /bac/classement/classement-ecoles-de-commerce-2021-american-dream/ https://up2school.com/masters/classement/classement-ecoles-commerce-2021-nasdaq-american-dream/
    RedirectMatch 301 /fr/article/classements/classement-ecoles-commerce-2021-french-tech-saas/ https://up2school.com/masters/classement/classement-ecoles-commerce-2021-ft120-saas-data-cloud/
    RedirectMatch 301 /fr/article/classements/classement-ecoles-commerce-2021-french-tech-(.+)$ https://up2school.com/masters/classement/classement-ecoles-commerce-2021-ft120-$1
    RedirectMatch 301 /fr/article/classements/classement-ecoles-commerce-2020-french-tech/ https://up2school.com/masters/classement/classement-ecoles-commerce-2020-frenchtech/
    RedirectMatch 301 /fr/article/classements/classement-ecoles-commerce-2021-french-tech/ https://up2school.com/masters/classement/classement-ecoles-commerce-2021-ft120-frenchtech/
    RedirectMatch 301 /fr/article/classements/(.+)$ https://up2school.com/masters/classement/$1

    RedirectMatch 301 /fr/article/?$ https://up2school.com/bac
    RedirectMatch 301 /fr/article/(.+)$ https://up2school.com/bac/$1
    

    <Directory "/var/www/up2school/public">
        Options FollowSymLinks Indexes
        AllowOverride All
        Allow from all
        Require all granted
        FallbackResource /index.php
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_URI} !^/ajax
            RewriteCond %{REQUEST_URI} !^/api
            RewriteCond %{REQUEST_URI} !^/zone_m1tenance
            RewriteCond %{REQUEST_URI} !^/espace-ecole
            RewriteCond %{REQUEST_URI} !^/masters
            RewriteCond %{REQUEST_URI} !^/bac
            RewriteCond %{REQUEST_URI} !^/(fr|en)
            RewriteCond %{REQUEST_URI} !^/index.php
            RewriteCond %{REQUEST_URI} !^/_
            RewriteRule ^(.*)$ /fr/$1 [L,R=307]
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
#            RewriteCond %{REQUEST_URI} !^/(fr|en)/article(/.+)? [NC]
            RewriteRule . /index.php [L]
        </IfModule>

	<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
    </Directory>
    
    Alias "/bac" "/var/www/up2school-bac/"
    
    <Directory "/var/www/up2school-bac">
<IfModule mod_headers.c>
  #Header set Access-Control-Allow-Origin "*"
</IfModule>
        # BEGIN WordPress
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /bac/
            RewriteRule ^index\.php$ - [L]
            RewriteCond $1 ^(index\.php)?$ [OR]
            RewriteCond $1 \.(gif|jpg|png|ico|css|js)$ [NC,OR]
            RewriteCond %{REQUEST_FILENAME} -f [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^(.*)$ - [S=1]
            RewriteRule . /bac/index.php [L]
        </IfModule>
        # END Wordpress
        Require all granted
        DirectoryIndex index.php
        Options +Indexes
        Allow from All

        <IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
#ExpiresByType text/html "access 1 month"
ExpiresByType text/css "access 1 month"
ExpiresByType text/javascript "access 1 month”
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/webp "access 1 year"
ExpiresByType image/svg "access 1 year”
ExpiresByType image/gif "access 1 year"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-javascript "access 1 month”
#ExpiresByType application/xhtml+xml "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 4 days"
</IfModule>
    </Directory>

    Alias "/masters" "/var/www/up2school/masters"

    <Directory "/var/www/up2school/masters">
        # BEGIN WordPress
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /masters/
            RewriteRule ^index\.php$ - [L]
            RewriteCond $1 ^(index\.php)?$ [OR]
            RewriteCond $1 \.(gif|jpg|png|ico|css|js)$ [NC,OR]
            RewriteCond %{REQUEST_FILENAME} -f [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^(.*)$ - [S=1]
            RewriteRule . /masters/index.php [L]
        </IfModule>
        # END Wordpress
        Require all granted
        DirectoryIndex index.php
        Options +Indexes
        Allow from All
    </Directory>

    ErrorLog "/var/log/apache2/up2school_error_log.log"
    CustomLog "/var/log/apache2/up2school_access_log.log" common
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.up2school.com [OR]
# RewriteCond %{SERVER_NAME} =up2school.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/up2school.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/up2school.com-0001/privkey.pem
</VirtualHost>
</IfModule>
6

Here is part of the problem. Your Apache VirtualHost is using the cert with the -0001 name and you can see in the cert output that cert only has the one domain name in it.

Looks like someone tried to update that cert but used a different method. In any case, let's fix that first. I'd like to see contents of this file before I suggest something:

/etc/letsencrypt/renewal/up2school.com.conf

Your current Apache cert lines:

3 Likes
7

Ok, I understand the problem. Maybe it's due to the fact that I tried other certificate solutions (via my host in particular) before discovering Let's Encrypt

# renew_before_expiry = 30 days

version = 1.29.0

archive_dir = /etc/letsencrypt/archive/up2school.com

cert = /etc/letsencrypt/live/up2school.com/cert.pem

privkey = /etc/letsencrypt/live/up2school.com/privkey.pem

chain = /etc/letsencrypt/live/up2school.com/chain.pem

fullchain = /etc/letsencrypt/live/up2school.com/fullchain.pem

# Options used in the renewal process

[renewalparams]

account = 1f942cb99da513dcb6179294c245c37d

authenticator = apache

installer = apache

server = https://acme-v02.api.letsencrypt.org/directory

key_type = rsa
8

And, let's see if that would renew with a test. What does this show

sudo certbot renew --cert-name up2school.com --dry-run
3 Likes
9

I get an error

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/up2school.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for up2school.com and www.up2school.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: up2school.com
  Type:   unauthorized
  Detail: 135.125.202.29: Invalid response from https://up2school.com/fr/.well-known/acme-challenge/fMDpNqNYI7FO0zkbGB4jPiqxW1iu26_quanz10IWK7o: 404

  Domain: www.up2school.com
  Type:   unauthorized
  Detail: 135.125.202.29: Invalid response from https://www.up2school.com/fr/.well-known/acme-challenge/wT3FmGqApteJeHxMWMW2j9QdG5l5ibkN-St8DzsGBGg: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate up2school.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/up2school.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
1 Like
10

OK. Need to see contents of this file. Also, are you still using the up2school.fr domain? Because I did not see a port 80 VirtualHost for that name but I see see one for port 443.

/etc/apache2/sites-enabled/up2school.conf
3 Likes
11

The up2school.fr domain is supposed to redirect to up2school.com.
On the up2school.com domain, there are three sites: two WordPress sites (up2school.com/bac and up2school.com/masters) and a third site (up2school.com/fr)

Here is the file:

<VirtualHost *:80>
    ServerName up2school.com
    ServerAlias www.up2school.com
    ServerAdmin alexis@2empower.com
    DocumentRoot "/var/www/up2school/public"
    
    RedirectMatch 301 /fr/article/?$ https://up2school.com/bac
    RedirectMatch 301 /fr/article/(.+) https://up2school.com/bac/$1

    <Directory "/var/www/up2school/public">
        Options FollowSymLinks Indexes
        AllowOverride All
        Allow from all
        Require all granted
        FallbackResource /index.php
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_URI} !^/ajax
            RewriteCond %{REQUEST_URI} !^/api
            RewriteCond %{REQUEST_URI} !^/zone_m1tenance
            RewriteCond %{REQUEST_URI} !^/espace-ecole
            RewriteCond %{REQUEST_URI} !^/(fr|en)
            RewriteCond %{REQUEST_URI} !^/index.php
            RewriteCond %{REQUEST_URI} !^/_
            RewriteRule ^(.*)$ /fr/$1 [L,R=307]
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_URI} !^/(fr|en)/article(/.+)? [NC]
            RewriteRule . /index.php [L]
        </IfModule>
    </Directory>
    
    Alias "/fr/article" "/var/www/up2school/ressources"
    
    <Directory "/var/www/up2school/ressources">
        # BEGIN WordPress
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /fr/article/
            RewriteRule ^index\.php$ - [L]
            RewriteCond $1 ^(index\.php)?$ [OR]
            RewriteCond $1 \.(gif|jpg|png|ico|css|js)$ [NC,OR]
            RewriteCond %{REQUEST_FILENAME} -f [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^(.*)$ - [S=1]
            RewriteRule . /fr/article/index.php [L]
        </IfModule>
        # END Wordpress
        Require all granted
        DirectoryIndex index.php
        Options +Indexes
        Allow from All
    </Directory>

    ErrorLog "/var/log/apache2/up2school_error_log.log"
    CustomLog "/var/log/apache2/up2school_access_log.log" common
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =www.up2school.com [OR]
    RewriteCond %{SERVER_NAME} =up2school.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
12

Hmm. I need a minute to think about this. I can see what is happening but not sure why and not sure what I want to recommend.

You can see in your renew test the error message shows the URL starting with https://up2school.com/fr/...

That fails with a 404 error which is "not found". So, the Let's Encrypt server could not find its expected challenge response at that URL.

But, the Apache authenticator should be inserting its own redirect to capture the original challenge request in the http (port 80) server. So, we should not be seeing the redirect to your https VirtualHost which is the one redirecting to the /fr/ folder.

I am inclined to recommend switching to the certonly --webroot -w method to replace the apache plug-in. But, give me a minute.

Mind you, there is another problem of the erratic responses from your server. I think these are due to an "orphaned" apache fork which could be fixed with a server restart. But, I would want to check other items before having you do that.

4 Likes
13

Well, thank you ! I await your next recommendations then

1 Like
14

I am curious why the -0001 cert worked. Maybe we can just build off that instead. Would you show contents of this file.

/etc/apache2/sites-enabled/up2school.com-0001.conf

@Sacha Oops. sorry, typo. This file:

/etc/letsencrypt/renewal/up2school.com-0001.conf
3 Likes
15

I think you should not use this cert (with -0001) and then delete it:

Why is there no HTTP vhost to cover the FQDNs www.up2school.fr and up2school.fr?
How do they redirect?

2 Likes
16

I disagree. That one was issued just 2 days ago. It provides clues as to what method is working since the cert with both names failed the renew test a few posts back. Deleting it will lose useful info.

There are several layers of problems here. I agree with the end goal of single cert with both domains.

3 Likes
17

Agreed: Get the renewal.conf file information before deleting any cert(s).

3 Likes
18

I had to leave for a few hours, here is the requested file!

# renew_before_expiry = 30 days

version = 1.29.0

archive_dir = /etc/letsencrypt/archive/up2school.com-0001

cert = /etc/letsencrypt/live/up2school.com-0001/cert.pem

privkey = /etc/letsencrypt/live/up2school.com-0001/privkey.pem

chain = /etc/letsencrypt/live/up2school.com-0001/chain.pem

fullchain = /etc/letsencrypt/live/up2school.com-0001/fullchain.pem

# Options used in the renewal process

[renewalparams]

account = 1f942cb99da513dcb6179294c245c37d

authenticator = apache

installer = apache

server = https://acme-v02.api.letsencrypt.org/directory

key_type = rsa

@rg305

Why is there no HTTP vhost to cover the FQDNs www.up2school.fr and up2school.fr ?
How do they redirect?

Honestly I'm not sure I understand your question, I think my technical knowledge is too limited. But theoretically, up2school.fr domain names are empty and should redirect directly to up2school.com (the three sites are on this domain: /bac, /masters and /fr)

19

That is not at all what I was expecting. What does this show?

sudo certbot renew --cert-name up2school.com-0001 --dry-run
3 Likes
20

The only HTTP vhosts shown are:

Please show this file:
/etc/apache2/sites-enabled/000-default.conf

2 Likes