I am unable to renew cert the date does not update NET::ERR_CERT_DATE_INVALID


Valid from|Tue, 09 Jan 2018 23:13:12 UTC|

Valid until|Mon, 09 Apr 2018 23:13:12 UTC (expired 17 hours and 59 minutes ago) EXPIRED|

I ran certbot renew and it says it does not need to be renewed
I ran certbot renew --force-renewal and restarted apache after both commands but it does not seem to do anything.


You’ve issued four new certs for this domain today–you’re about to run into a rate limit. If you’ve restarted apache since issuing them, apparently your server configuration isn’t pointing to the right cert. What’s the output of certbot certificates?

Found the following certs:
Certificate Name: www.gmrgold.com-0002
Domains: gmrgold.com www.gmrgold.com
Expiry Date: 2018-07-09 16:07:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.gmrgold.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.gmrgold.com-0002/privkey.pem

I'm not sure what's happening.

I think the server's sending both one of the new certificates and the old, expired one?

What's the Apache confguration?

Just that one?

Edit: What version of Apache?

That is the only one in live and renew folders the apache conf is pointing to:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.gmrgold.com-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.gmrgold.com-0002/privkey.pem

According to the SSL Labs report, there are at least 2 certificates on the system.

Can you “ls -l /etc/letsencrypt/archive/” and “grep -ir SSLCertificate /etc/apache2/`” or wherever the Apache configuration is?

www.gmrgold.com www.gmrgold.com-0001

I do see some older directories there. Is there and one of them contains another SSL. Do I simply remove those directories to fix the problem?

If Apache is actively using some of the files there, deleting them now will break it.

Deleting them afterwards would be good, though.

In the future, you can use "certbot delete --cert-name www.gmrgold.com-0001" and so forth to delete the renewal file and live and archive directories simultaneously.

I am still getting the second cert after deleting them not sure where else to look. I did a grep for it but coming up empty.

Any other ideas to get the server from serving the 2nd expired certificate?

same here, expired from yesterday! certbot says there’s nothing to renew!

Rebooting the server finally got it to stop serving the invalid certificate.

Did you get any error messages?

No error message at all except in the browser!

And thank you! Rebooting the server did the trick!

Quick note, I had tried restarting apache, but restarting it did nothing. Only a hard reboot did the trick for me. I guess that’s what you needed too.

On my side, I think I found the root cause…

By doing sudo crontab -e, I can see the following certbot crontab task:
15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"

However, when I do sudo /bin/systemctl reload nginx, I get the following error:
Failed to reload nginx.service: Unit nginx.service not found.

I tried every single command to restart Nginx I can find on the Internet, but every single one of them fail!!

Someone has a clue?

@aguyinmontreal, are you sure you’re using nginx and not some other web server?

@schoen @frankhdz

I found it! Since my Nginx had been installed with the gitLab package, I had to replace the "/bin/systemctl reload nginx" post-hook in the crontab task by "gitlab-ctl restart nginx".

Source: https://stackoverflow.com/questions/32969612/how-can-i-restart-bundle-nginx-in-gitlab-separately .

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.