I am unable to renew cert the date does not update NET::ERR_CERT_DATE_INVALID


#1

I am getting NET::ERR_CERT_DATE_INVALID

Valid from|Tue, 09 Jan 2018 23:13:12 UTC|

Valid until|Mon, 09 Apr 2018 23:13:12 UTC (expired 17 hours and 59 minutes ago) EXPIRED|

I ran certbot renew and it says it does not need to be renewed
I ran certbot renew --force-renewal and restarted apache after both commands but it does not seem to do anything.

https://www.ssllabs.com/ssltest/analyze.html?d=www.gmrgold.com


#2

You’ve issued four new certs for this domain today–you’re about to run into a rate limit. If you’ve restarted apache since issuing them, apparently your server configuration isn’t pointing to the right cert. What’s the output of certbot certificates?


#3

Found the following certs:
Certificate Name: www.gmrgold.com-0002
Domains: gmrgold.com www.gmrgold.com
Expiry Date: 2018-07-09 16:07:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.gmrgold.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.gmrgold.com-0002/privkey.pem


#4

I’m not sure what’s happening.

I think the server’s sending both one of the new certificates and the old, expired one?

What’s the Apache confguration?

Just that one?

Edit: What version of Apache?


#5

That is the only one in live and renew folders the apache conf is pointing to:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.gmrgold.com-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.gmrgold.com-0002/privkey.pem


#6

According to the SSL Labs report, there are at least 2 certificates on the system.

Can you “ls -l /etc/letsencrypt/archive/” and “grep -ir SSLCertificate /etc/apache2/`” or wherever the Apache configuration is?


#7

www.gmrgold.com www.gmrgold.com-0001

I do see some older directories there. Is there and one of them contains another SSL. Do I simply remove those directories to fix the problem?


#8

If Apache is actively using some of the files there, deleting them now will break it.

Deleting them afterwards would be good, though.

In the future, you can use “certbot delete --cert-name www.gmrgold.com-0001” and so forth to delete the renewal file and live and archive directories simultaneously.


#9

I am still getting the second cert after deleting them not sure where else to look. I did a grep for it but coming up empty.


#10

Any other ideas to get the server from serving the 2nd expired certificate?


#11

same here, expired from yesterday! certbot says there’s nothing to renew!


#12

Rebooting the server finally got it to stop serving the invalid certificate.


#13

Did you get any error messages?


#14

No error message at all except in the browser!

And thank you! Rebooting the server did the trick!


#15

Quick note, I had tried restarting apache, but restarting it did nothing. Only a hard reboot did the trick for me. I guess that’s what you needed too.


#16

On my side, I think I found the root cause…

By doing sudo crontab -e, I can see the following certbot crontab task:
15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"

However, when I do sudo /bin/systemctl reload nginx, I get the following error:
Failed to reload nginx.service: Unit nginx.service not found.

I tried every single command to restart Nginx I can find on the Internet, but every single one of them fail!!

Someone has a clue?


#17

@aguyinmontreal, are you sure you’re using nginx and not some other web server?


#18

@schoen @frankhdz

I found it! Since my Nginx had been installed with the gitLab package, I had to replace the "/bin/systemctl reload nginx" post-hook in the crontab task by "gitlab-ctl restart nginx".

Source: https://stackoverflow.com/questions/32969612/how-can-i-restart-bundle-nginx-in-gitlab-separately .


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.