Expired certificates detected after a renewal ( Certbot, nginx )

Hello ! I just try to update Lets Encrypt certificates on my server for one of my domains ( some others give the same error ). I renewed the certificates, restarted nginx, checked the symlinks of the certs, but still an older version is being detected. I would appreciate very much any feedback how I could fix that !

Domain: https://peakspirit.de

I ran this command + output:

certbot-3.7 --nginx -w /var/www/peakspirit.de/www/ -d peakspirit.de -d www.peakspirit.de

certbot certificates

Domains: peakspirit.de www.peakspirit.de
Expiry Date: 2020-12-31 17:37:51+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/peakspirit.de/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/peakspirit.de/privkey.pem

service nginx restart

All good.

openssl s_client -showcerts -servername peakspirit.de -connect peakspirit.de:443

verify error:num=10:certificate has expired
notAfter=Sep 11 15:28:07 2020 GMT

My web server: Freebsd 12, nginx/1.18.0, Certbot 1.5.0, full root shell

Configuration:

listen 443 ssl http2;
server_name peakspirit.de www.peakspirit.de;

fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
ssl_certificate /usr/local/etc/letsencrypt/live/peakspirit.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/peakspirit.de/privkey.pem; # managed by Certbot
ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=0; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

2 Likes

The expired certificate is for mindspl.at:

$ openssl s_client -connect  peakspirit.de:443  -showcerts 2>/dev/null  | openssl x509 -noout -dates -subject
notBefore=Jun 13 15:28:07 2020 GMT
notAfter=Sep 11 15:28:07 2020 GMT
subject=CN = mindspl.at

I would check that none of the server_names you have in nginx are overlapping, and that your config is valid at all:

nginx -t
4 Likes

Also check that the file is in a location that is actually being included into the config.
[not too common a problem for nginx (more for apache) - but worth checking into]

2 Likes

I appreciate your replies ! Still it is difficult for me to narrow down the issue:

openssl s_client -showcerts -servername peakspirit.de -connect peakspirit.de:443

gives an outdated certificate with a different CN,

depth=0 CN = mindspl.at
verify error:num=10:certificate has expired
notAfter=Sep 11 15:28:07 2020 GMT
depth=0 CN = mindspl.at

but in the meantime I run on the server

certbot-3.7 --nginx -w /var/www/peakspirit.de/www/ -d peakspirit.de -d www.peakspirit.de

which gives

certbot certificates

Domains: peakspirit.de www.peakspirit.de
Expiry Date: 2020-12-31 20:23:10+00:00 (VALID: 81 days)

I admit, it may happen that on some point in past I screwed up a certificate being issued to two domains, as you can see. But now the webserver should point to new ( and I suppose correct ) certificates, server_names are not overlapping, and nginx -t is fine.

Do you have an idea where I can search for that outdated certificate — and somehow disable it — which is called instead of the new one from certbot ?

2 Likes

Hello :slightly_smiling_face:

I'll try to help you out.


I noticed that you are using two different certbot commands: certbot-3.7 and certbot

Do you have multiple versions of certbot installed?


Your certbot command is malformed. You can only use one type of authenticator at a time. If there are any errors shown in the output when you run any of the commands below, please copy-and-paste the command that you executed and the complete output for us to see.

Testing

If you want to use the nginx authenticator:
certbot certonly --cert-name peakspirit --nginx -d "peakspirit.de,www.peakspirit.de" --dry-run

If you want to use the webroot authenticator:
certbot certonly --cert-name peakspirit --webroot -w /var/www/peakspirit.de/www -d "peakspirit.de,www.peakspirit.de" --dry-run

Live

If you want to use the nginx authenticator:
certbot run --cert-name peakspirit -a nginx -d "peakspirit.de,www.peakspirit.de" -i nginx --keep-until-expiring

If you want to use the webroot authenticator:
certbot run --cert-name peakspirit -a webroot -w /var/www/peakspirit.de/www -d "peakspirit.de,www.peakspirit.de" -i nginx --keep-until-expiring


Once you've successfully executed one of the live commands above, you should have a new certificate named peakspirit.

You can view your certificates and note their names:
certbot certificates

You can delete any unneeded certificates:
certbot delete --cert-name name

You can view your certificates again to confirm:
certbot certificates


Wrong certificate being served:


Complete certificate history:


1 Like

Please show the output of:
[which should show us "a very basic outline" of your config]
nginx -T | grep -Ei 'certificate|server_name|listen|root'

1 Like

Thank you for following up !

I noticed that you are using two different certbot commands: certbot-3.7 and certbot Do you have multiple versions of certbot installed?

I am of that opinion, that I have only one version installed.

I have run following commands, without errors:

certbot delete --cert-name peakspirit.de
certbot run -a nginx -d "peakspirit.de,www.peakspirit.de" -i nginx --keep-until-expiring

The output of

nginx -T | grep -Ei 'certificate|server_name|listen|root' is

listen 80;
server_name peakspirit.de www.peakspirit.de;
root /var/www/peakspirit.de/www;
listen 443 ssl http2;
server_name peakspirit.de www.peakspirit.de;
root /var/www/peakspirit.de/www;
ssl_certificate /usr/local/etc/letsencrypt/live/peakspirit.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/peakspirit.de/privkey.pem; # managed by Certbot

2 Likes

The nginx -T is very clean and shows me no issues with any incorrect cert file uses.

And yet, this:

does not match what is seen from the Internet:


I would reboot the system and see if that clears anything up.

1 Like

I would reboot the system and see if that clears anything up.

That really did it ! So simple ..

I really appreciate your help.

2 Likes

So, your process is missing part of the automation.
You need to incorporate a web server restart/reload after each time a cert is renewed.
This can be done easily with either:

  • appending --deploy-hook "systemctl reload nginx" to the certbot call
  • adding a cron job to reload nginx daily; like:
    12 3 * * * /bin/systemctl reload nginx.service
1 Like

Thank you for following up, I appreciate it very much and updated crontab accordingly !

2 Likes