Expired Security Certificate

FemiO · April 12, 2023, 9:02pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: trumpetmediagroup.com

The domain name was purchased over 10 years ago via GoDaddy but it points to our website which is hosted by Content Management System (CMS) provider - Metropublisher.

Our website (trumpetmediagroup.com) started malfunctioning two days ago indicating that the Security Certificate expired on 10 April 2023.

In the over 10 years of being with our CMS Provider or GoDaddy, I have not been involved in the renewing of the Certificate. We simply had to turn on HTTPS in the CMS and everything has run smoothly for almost 7 years.

I have not had any headway with Metropublisher - as they simply told me to switch on HTTPS within the CMS (which was never off anyway).

It is clear that the Certificate needs to be renewed since it has expired - but Metropublisher are passing the buck back to me.

How can I resolve this? What do I need to do?

Thanks in anticipation.

'Femi

Bruce5051 · April 12, 2023, 9:10pm

Hello @FemiO, welcome to the Let's Encrypt community.

I fail to see how this topic is relevant to the Let's Encrypt community forum.

Let’s Encrypt offers Domain Validation (DV) certificates.

Are you looking to switch to using Let's Encrypt as your Certificate Authority?
ACME is intended to provide automictic Certificate renewals every 60 days with the Certificates having a 90 day life span.

There are other Free ACME Certificate Authorities as well

petercooperjr · April 12, 2023, 9:15pm

Do you have administrative access to the actual web server? Or can you only manage it through a "control panel" type application? Since if you usually just "turn on HTTPS" in your control panel (which is how this kind of thing ideally works), and that isn't working, and you can't access the server itself (like, lo in, change config files, runs applications, etc.), then you need whomever does have that access (who is probably whatever company set up that control panel) to fix the problem. There really isn't anything you can do to fix it.

MikeMcQ · April 12, 2023, 9:16pm

It looks like your CAA record is blocking issuance by Let's Encrypt.

See:

danb35 · April 12, 2023, 9:19pm

Surely that would be because the last (expired) cert is from Let's Encrypt. But since that one's been issued, someone's made a real dog's breakfast of the CAA records:

 dan@Dan-MBP-2019  ~  dig caa trumpetmediagroup.com

; <<>> DiG 9.10.6 <<>> caa trumpetmediagroup.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32683
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;trumpetmediagroup.com.		IN	CAA

;; ANSWER SECTION:
trumpetmediagroup.com.	3600	IN	CAA	0 issuewild "awstrust.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issuewild "amazonaws.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issuewild "someca.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issue "amazon.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issue "amazontrust.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issue "awstrust.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issue "amazonaws.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issue "someca.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issuewild "amazon.com"
trumpetmediagroup.com.	3600	IN	CAA	0 issuewild "amazontrust.com"

A whole mess of Amazon-related entities, along with "someca.com" for good measure, but indeed Let's Encrypt is prohibited. @FemiO, you need to fix your DNS records. If Metropublisher handles those, they need to fix them. But they're the reason you can't renew your cert.

Bruce5051 · April 12, 2023, 9:19pm

Correct - https://unboundtest.com/m/CAA/trumpetmediagroup.com/EKXIHBJV

Query results for CAA trumpetmediagroup.com

Response:
;; opcode: QUERY, status: NOERROR, id: 62703
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;trumpetmediagroup.com.	IN	 CAA

;; ANSWER SECTION:
trumpetmediagroup.com.	0	IN	CAA	0 issuewild "awstrust.com"
trumpetmediagroup.com.	0	IN	CAA	0 issuewild "amazonaws.com"
trumpetmediagroup.com.	0	IN	CAA	0 issuewild "someca.com"
trumpetmediagroup.com.	0	IN	CAA	0 issue "amazon.com"
trumpetmediagroup.com.	0	IN	CAA	0 issue "amazontrust.com"
trumpetmediagroup.com.	0	IN	CAA	0 issue "awstrust.com"
trumpetmediagroup.com.	0	IN	CAA	0 issue "amazonaws.com"
trumpetmediagroup.com.	0	IN	CAA	0 issue "someca.com"
trumpetmediagroup.com.	0	IN	CAA	0 issuewild "amazon.com"
trumpetmediagroup.com.	0	IN	CAA	0 issuewild "amazontrust.com"

----- Unbound logs -----
Apr 12 21:19:00 unbound[1100318:0] notice: init module 0: validator
Apr 12 21:19:00 unbound[1100318:0] notice: init module 1: iterator

And the online tool Let's Debug yields the same results https://letsdebug.net/trumpetmediagroup.com/1443613

MikeMcQ · April 12, 2023, 9:22pm

Other than the CAA records, you recently got a cert from Amazon. This was shortly after your most recently issued cert by Let's Encrypt. (cert history here)

That, along with the CAA records, looks like someone tried to change your architecture to be on AWS. For example, by adding CloudFront or an ELB.

Your DNS just points to an AWS EC2 instance (not CF or an ELB) so maybe someone tried something and backed it off but leaving the faulty CAA records behind?

Bruce5051 · April 12, 2023, 9:31pm

Seem to me you need to push back on

$ curl -Ii http://trumpetmediagroup.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Wed, 12 Apr 2023 21:28:19 GMT
Location: http://go.metropublisher.com/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=UTF-8
x-frame-options: SAMEORIGIN
Vary: Accept-Encoding
Age: 0
Connection: keep-alive

$ curl -Ii http://go.metropublisher.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 12 Apr 2023 21:28:40 GMT
Location: https://go.metropublisher.com/.well-known/acme-challenge/sometestfile
Server: Apache/2.4.25 (Debian)
Connection: keep-alive

$ curl -k -Ii https://go.metropublisher.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Content-Length: 18
Content-Type: text/plain
Date: Wed, 12 Apr 2023 21:28:52 GMT
Server: waitress
X-Content-Type-Warning: guessed from content
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
Connection: keep-alive

FemiO · April 12, 2023, 9:33pm

Thanks for reverting @Bruce5051.

Forgive me - I am not technical. I simply need to get the website working without returning an error about Security Certificate expired.

I viewed the Certificate and it had Let's Encrypt as having issued it:

Common Name (CN)	trumpetmediagroup.com
Organization (O)
Organizational Unit (OU)
Common Name (CN)	R3
Organization (O)	Let's Encrypt
Organizational Unit (OU)
Issued On	Tuesday, January 10, 2023 at 12:20:17 AM
Expires On	Monday, April 10, 2023 at 1:20:16 AM

Kind regards

Bruce5051 · April 12, 2023, 9:35pm

Nothing to be forgiven.

What controls do you have on the web server and the server itself?

FemiO · April 12, 2023, 9:37pm

Thanks @petercooperjr.
No I don't have Admin Access to the Web Server. I will revert to Metropublisher.
Much appreciated.

Bruce5051 · April 12, 2023, 9:38pm

And I think @petercooperjr has a very good answer here:

(bold highlight above mine)

MikeMcQ · April 12, 2023, 9:41pm

Something significant happened on Jan9-13. If you can find who did that they may be able to help you.

You had been getting certs consistently every 60 days for a long time. Starting Jan9 that changed in a big way.

FemiO · April 12, 2023, 9:46pm

Thank you so much @MikeMcQ .

Your response is extremely useful as some amendments were made to the CAA records in January - and I suspect this is where the problem lies.

Much appreciated.

FemiO · April 12, 2023, 9:53pm

Thanks @danb35.
Yes, it makes sense.
Much appreciated.

rg305 · April 13, 2023, 12:59am

Financial.
[that is the one that counts the most!]

I dare say you have control of your wallet and that is all you need.
Simple tell whomever is charging you for said service [likely included in the hosting plan]...
Starting with the DNS administrators:

fix the CAA records
get the certificate renewed

FemiO · April 13, 2023, 11:45am

Thank you so much all - for the prompt help and advice.

I deleted all the CAA records which I had added in January when a Shop was being added to our Website. It was a requirement of the 3rd-Party shop provider to make those amendments.

Following the deletion of the CAA records, the Certificate has now been automatically renewed this morning and our Website now working properly.

I appreciate you all.

'Femi

FemiO · April 13, 2023, 11:46am

The Shop was being added as a Sub-Domain.

system · May 13, 2023, 11:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate Renewal Help	3	502	January 15, 2023
Mine expired, and I don't know what to do Help	9	672	September 29, 2021
How can I renew an expired certificate? Help	2	714	May 23, 2020
Certificate has expired Help	4	750	April 22, 2021
Lets Encrypt is generating expired SSL certificate Help	3	94	October 4, 2024

Expired Security Certificate

Related topics