How to Figure Out Which Certicate is Expired and Renew It

I made a post a few days ago about trying to figure out why a certificate I had wouldn't update. Figured out how to get a new certificate...... But still don't understand why certbot always says I have an expired certificate when I try to use it to do about anything.
For example....

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))

So my question is what certificate expired and how can I renew it? Por favor and gracias.

Do:

certbot certificates

to see certs from certbot. Show results here if you want help. Use the certbot delete command to remove unused ones. See here for its operation

2 Likes

This maybe it's the time on my system even though it appears to be accurate? Going to try to check BIOS times.

Found the following certs:
  Certificate Name: play.atavismxi.com
    Serial Number: 3988d224647f514d6f7caae2286f31bdd71
    Key Type: RSA
    Domains: play.atavismxi.com
    Expiry Date: 2022-02-17 21:33:56+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/play.atavismxi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/play.atavismxi.com/privkey.pem

From your previous thread you used a --manual option to create your certs. As I noted then, you will need to continue doing that manually. If this is the only cert you will ever do and you plan to continue updating it manually you could disable the certbot timer.

But, if you want the renew to continue running you will need to add the ``--insecure``` option to your systemd certbot service profile for it. This is the same option you needed to issue your cert on your Arch Linux system. Until you resolve your root store problem this will always be needed.

That said, I am surprised certbot even made an attempt given the manual creation. You might want to review the conf file in the letsencrypt renewal folder. Perhaps it still reflects an attempt before using --manual

2 Likes

Yes I used the manual option. Even before that I couldn't renew my certificate for play.atavismxi.com. I'm not worried about the play.atavismxi certficate.

I can't use certbot at all because it always says I have an expired certificate.

Changing time did not help

It has nothing to do with your websites certificate, it's failing to understand Let's Encrypts own certificate for the API.

Your system has an outdated component (certificate bundle or application) and when it sees the certificate for the Let's Encrypt API it resolves it with the expired chain.

The solution depends on what OS/version you are running and which version of certbot you are using but generally you want to update your OS CA certificate bundle and ideally make sure you are running a recent version of certbot.

2 Likes

Right.

I'm running arch Linux. Certbot 1.21.

Not sure how to update certificate bundle. Tried sudo update-CA-trust

Thanks, I see your other thread now. You've already tried the update-ca-trust command I would have suggested but I think you need to manually edit your systems set of CA certificates to ensure ISRG Root X1 is present, then run that command to commit that changes.

Ideally you should find some arch linux experts - I've no idea where that distro keeps it's certs etc.

2 Likes

I found this thread in the arch linux forms of someone having same problem as me. Thanks I will try this someday :slight_smile:
https://bbs.archlinux.org/viewtopic.php?id=270218

2 Likes

Something is not quite right with your system.
acme-v02.api.letsencrypt.org uses the short/alternate trust chain:

---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

None of which are expired.

The only thing I can think of that might cause this error is if your system has somehow learned/trusted the "ISRG Root X1 (cross-signed)" cert - whose root is now expired.

Perhaps in your haste you have trusted the wrong version of "ISRG Root X1".

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.