HSTS Chrome error NET::ERR_CERT_DATE_INVALID

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bap.a3a-architecture.fr

I ran this command: typed domain into chrome browser

It produced this output: NET::ERR_CERT_DATE_INVALID error warning from chrome

My web server is (include version): apache

The operating system my web server runs on is (include version): php

My hosting provider, if applicable, is: mamp pro

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.2.0

Date has been checked on the mac, ssl labs return an invalid cert however it has been renewed on Friday 16, line command sudo certbot renew --dry-run return a valide cert


You also got a cert back in December but your Apache server is using the one you got in November. So something has gone wrong for a while. Maybe you just need to reload Apache?

What do these show?

sudo certbot certificates
sudo apachectl -t -D DUMP_VHOSTS
2 Likes

Thank you MikeMcQ for your return, will try to reload Apache now,
here are results from those command lines

Ok reloading Apache seems to solve the problem, Chrome is ok now. Thank you again for your precious help. Additional question is there a simple way to auto renew the certificate ? a command line ? i've justt install homebrew on the mac

laziest way would be add a cron job to reload Apache every week.

1 Like

Ok thank you will try to do this, eventually have you a website or a link to learn and do it my self ?

1 Like

Sure, see below page about automated renewals

https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals

If you show us the conf file in /etc/letsencrypt/renewal folder for that cert we can give specific advice. You may just need to add a --deploy-hook to reload apache. But, doing a graceful reload every day (or week) is fine too.

2 Likes

Here you go for the conf file
Capture d’écran 2024-02-19 à 16.06.17

This should work with your Certbot 2.2 but if not you need to update that to current 2.9

sudo certbot reconfigure --cert-name bap.a3a-architecture.fr --deploy-hook "*command*"

Where *command* is replaced with the correct command to gracefully reload apache on your system. So, whatever command you used just before to do that.

2 Likes

Will try to do this but as i'm not very confident on that :cold_face:
Be back tomorrow with my results.
thank you

2 Likes

All "reconfigure" does is update the renewal conf file. If you want take a backup before hand but this should add just one line to that file. That's it :slight_smile:

2 Likes

Hello, me again, i've find an existing cron job on the server with command : sudo crontab -e
Capture d’écran 2024-02-20 à 09.57.36
Am i wrong with the following ?
sudo certbot reconfigure --cert-name bap.a3a-architecture.fr --deploy-hook "15 1 * * * /usr/local/bin/certbot renew"

Yes, that is wrong :slight_smile:

The --deploy-hook command is whatever you use to reload Apache. The same command you said you did back in post #5.

Different systems use different commands. But, if the command you use is service apache2 graceful the reconfigure is:

sudo certbot reconfigure --cert-name bap.a3a-architecture.fr --deploy-hook "service apache2 graceful"

Be sure to use the command for your system though.

2 Likes

Hi community, i'm a bit in trouble now with the installation : here is what i've done

  • switch to zsh in terminal as requested by the app
  • sudo certbot certificates give that
    Capture d’écran 2024-02-26 à 11.01.35
  • sudo apachectl -t -D DUMP_VHOSTS give that
    Capture d’écran 2024-02-26 à 11.06.58
  • i suppose i have to install certbot 0.39.0 distribution with homebrew
    Install Certbot
    Run this command on the command line on the machine to install Certbot.
    brew install certbot
  • then add a cron job ?

I haven't try yet your command MikeMcQ

Out of curiosity, is your Apache not already soft-restarted periodically in order to rotate logs? Or are your Apache logs just ever-growing with no rotation? Or are you using "piped log" functionality so logs can be rotated without Apache soft-restarting?

I've never had to restart Apache due to an expired certificate, or manually set up automatic restarts... daily soft/graceful restarts via logrotate was always the norm for me, until I switched logrotate to weekly, and even then, I still tend to get multiple restarts per week due to it insisting on rotating different logs on different days.

I also have my Apache child processes set so each one self-terminates after 10K connections, in order to limit possible memory leaks

so it surprises me to see a scenario where Apache child processes are left running for months

0.39?? isn't that from 2019?

1 Like

Hello and thank you catharsis for this feedback I don't think the Apache is restarted periodically, I restart it manually when necessary. I took over this installation previously managed by another Tech and I am new to these processes. I switched the terminal back to /bin/bash and run these commands:
certbot -l
certbot -e
sudo certbot renew —dry-run —cert-name bap.a3a-architecture.fr
on the last one, the result seems ok to me here are my results, so I assume the certificate is active
Capture d’écran 2024-02-28 à 08.31.14
According to your comments my question is how to set multiple Apache’s restarts per week ?
For the certbot 0.39.0 it is what is asked for in the previous shell
shell-1

Thank you

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.