Expired root in newly created certificate

Hey! I created certificate crt.sh | korovin80.site. By the way, it notices in browser, that its not protected. I found out that the root server was expired even in 2021. I've tried to --force-renew and it actually worked once, but it didnt apply any changes on crt.sh. So when i tried to obtain these certificates later, when i recreated my server, i fetched old certificates with expired root server. How can i refresh this root server?

Hi @Topper-crypto, and welcome to the LE community forum :slight_smile:

Your problem sounds like a chain issue.
See: Long (default) and Short (alternate) Certificate Chains Explained - Issuance Policy - Let's Encrypt Community Support (letsencrypt.org)

Also, don't use:

That's doesn't fix anything.

6 Likes

Hello @Topper-crypto welcome to the Let's Encrypt community. :slightly_smiling_face:

With https://letsdebug.net/ all 3 Challenge Types have DNS failures

  1. HTTP-01 - Let's Debug
  2. DNS-01 - Let's Debug
  3. TLS-ALPN-01 - Let's Debug

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Yes you answered this, but a list of all that this topic is about can be helpful.

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

2 Likes

And https://dnsviz.net/ is showing
korovin80.site | DNSViz

Here DNS Lookup - Check DNS Records no DNS records are found for korovin80.site

2 Likes

What root server are you speaking of? The DNS root server that is the SOA NS for your domain?

My domain is: korovin80.site

I ran this command: certbot certonly --nginx --test-cert --email mail
--agree-tos --no-eff-email -d 'korovin80.site'
-d 'www.korovin80.site' -d 'gitlab.korovin80.site'
-d 'grafana.korovin80.site' -d 'prometheus.korovin80.site'
-d 'alertmanager.korovin80.site'

It produced this output: i was using ansible to configure all automatically, so i didnt get any output

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is: yandex

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): When i was using certbot for the first time, i spotted it was old 0.40 certbot version. So after that i updated to 1.21 version.

I'm thinking of that i was using old certbot and somehow he created certificate with expired root Doctored Durian Root CA X3 server, so i need to refresh this certificate. Right now i destroyed all DNS records for those sites, so they are unavailable. Thanks for replies!

3 Likes

@Topper-crypto when you bring back those destroyed DNS records:
Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

2 Likes

That sounds more like a problem within:

Can we see that script?

3 Likes
  • name: Check if certificate already exists
    ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ virtual_domain }}/cert.pem"
    register: letsencrypt_cert

  • name: Generate new certificate
    ansible.builtin.shell: >
    certbot certonly --nginx --test-cert --email '{{ letsencrypt_email }}'
    --agree-tos --no-eff-email -d '{{ virtual_domain }}'
    -d 'www.{{ virtual_domain }}' -d 'gitlab.{{ virtual_domain }}'
    -d 'grafana.{{ virtual_domain }}' -d 'prometheus.{{ virtual_domain }}'
    -d 'alertmanager.{{ virtual_domain }}'

I can share fullchain.pem, if it can help to check chain validity

Show:
ls -l /etc/letsencrypt/live/{{ virtual_domain }}/

Is this a test or production site?

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.