I made a post a few days ago about trying to figure out why a certificate I had wouldn't update. Figured out how to get a new certificate...... But still don't understand why certbot always says I have an expired certificate when I try to use it to do about anything.
For example....
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
So my question is what certificate expired and how can I renew it? Por favor and gracias.
From your previous thread you used a --manual option to create your certs. As I noted then, you will need to continue doing that manually. If this is the only cert you will ever do and you plan to continue updating it manually you could disable the certbot timer.
But, if you want the renew to continue running you will need to add the ``--insecure``` option to your systemd certbot service profile for it. This is the same option you needed to issue your cert on your Arch Linux system. Until you resolve your root store problem this will always be needed.
That said, I am surprised certbot even made an attempt given the manual creation. You might want to review the conf file in the letsencrypt renewal folder. Perhaps it still reflects an attempt before using --manual
Yes I used the manual option. Even before that I couldn't renew my certificate for play.atavismxi.com. I'm not worried about the play.atavismxi certficate.
I can't use certbot at all because it always says I have an expired certificate.
It has nothing to do with your websites certificate, it's failing to understand Let's Encrypts own certificate for the API.
Your system has an outdated component (certificate bundle or application) and when it sees the certificate for the Let's Encrypt API it resolves it with the expired chain.
The solution depends on what OS/version you are running and which version of certbot you are using but generally you want to update your OS CA certificate bundle and ideally make sure you are running a recent version of certbot.
Thanks, I see your other thread now. You've already tried the update-ca-trust command I would have suggested but I think you need to manually edit your systems set of CA certificates to ensure ISRG Root X1 is present, then run that command to commit that changes.
Ideally you should find some arch linux experts - I've no idea where that distro keeps it's certs etc.
Something is not quite right with your system. acme-v02.api.letsencrypt.org uses the short/alternate trust chain:
---
Certificate chain
0 s:CN = acme-v01.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
None of which are expired.
The only thing I can think of that might cause this error is if your system has somehow learned/trusted the "ISRG Root X1 (cross-signed)" cert - whose root is now expired.
Perhaps in your haste you have trusted the wrong version of "ISRG Root X1".
