Expired certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

##The certbot renewal went through but still when we hit the URL it says that the issued certificate has expired

My domain is:

I ran this command: wget URL
It produced this output: Issued certificate has expired.

My web server is (include version):

The operating system my web server runs on is (include version):RHEL7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.29.1

You have not provided much info but did you reload / restart your server after getting a fresh certificate?

5 Likes

Hi Mike,

I restarted the services and also the server, Certbot renewed the certificate successfully but when we access the URL it says certificate expired.

Need more info to provide advice. What is your

Web Server (apache, nginx, ...)?

Failing URL or domain name

3 Likes

HI Mike,

It is apache.

Thank you for following up on this.
Certbot renewal was successful but below is the error, do we need to renew the root certificate from Certbot website, is it so ?

CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

###########################################Requested output###########################
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Ah, that looks like the CA root cert store on your RHEL7 is badly out of date.

That said, your cert is not necessarily bad. See a site like this and I think you will find it verifies successfully. Just enter your domain name and port 443 to test HTTPS access.

Do you need the WGET on your own server to succeed? Or are you just concerned by the message?

You are showing a part of the "long chain" that your server uses. Here is more background info on the long and short chains. Note that most sites use the long chain like yours even this forum website

3 Likes

Hey Mike,

Thank you for the confirmation that cert will still work when we connect from our internal network but when we connect externally it still throws error that the site i snot secured

This kind of problem is harder to debug without knowing the domain name.

What was the result of using that website ssl checker for your domain?

3 Likes

Also possibility (on older versions of Apache) that you are using a very outdated chain file.
Of course, without any real information, we can only guess.

2 Likes

Hello,

How do we fix the below issue "Expiration of Certificate"

DST Root CA X3 expiration

We are trying to help but you do not give us much info.

I think you have an old CA Certificates root store. An updated package was created last Sept to address problems that occurred when DST Root CA X3 expired on Sept30. See this topic. I know the title says RHEL/CentOS6 but info on RHEL7 is there too.

One way to confirm you have an old root store is with this:

grep -Ei 'ISRG|DST|R3' /etc/pki/tls/certs/ca-bundle.crt | grep '#'

Let us know what that says

Also, please let us know if that SSL Checker website said your cert was ok. Thanks

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.