I renewed cert but ssllabs still shows last exp date?

Windows Server 2012 R2
IIS 8.5
ZeroSSL Crypt::LE client v0.28

I renewed my certificate successfully but the SSLlabs checker still shows the old expiration date even when I told it to Clear Cache.

I remoted into our pubilc web server and loaded the MMC Certificates snap-in and see the new certificate with the “2/1/18” expiration date in the “Web Hosting” store and not in the Personal store. I then went into the IIS Manager and selected the server and looked at Server Certificates and see the new cert with the “2/1/18” expiration date in it.

What could be the problem? I’m concerned because the old cert expires in 12 days…should I not be worried about this? Perhaps the SSLlabs checker needs time to update or something, even thought I told it to ignore the cached results? I have HSTS set to 6 months, could that be affecting this? Thanks for any thoughts you can give me.

EDIT: I just noticed that the CSR file in the renewal directory still has the old date. Does that mean anything?

Right-click on your “site” in IIS Manager and choose Edit Bindings… from the context menu. In the dialog box that appears, select your “https” binding and then click the Edit… button. Another dialog box will open, and at the bottom there is a drop-down box to select a certificate along with a View… button to confirm the expiration date of the certificate.

Please confirm that you have the correct certificate selected here.

This has nothing to do with HSTS. The old CSR might have been relevant if you didn’t clearly see a renewed certificate in the IIS Manager, but since you did get a new certificate it’s safe to assume the software either reused the CSR or cleaned up the new one but failed to clean up the old one or something to that effect.

1 Like

THANK YOU!! That was the problem. Apparently when I deleted the old cert it removed the binding. I don’t understand why the website still worked as https after that however…hmmm…

So now I’m still faced with the problem of how to automate the binding. So close to fully automating this procedure, yet it feels so far away…

Take a look at this power shell script that automates ACME certificates:

Thanks. I’m not a powershell user and don’t have time to learn the intricacies and it has to launch from task scheduler. I will take a look at it though and appreciate your input.

hi @mushu

Where are your contributions to this forum?

You have chewed up a lot of cycles asking people to solve your problems but haven’t contributed anything back in my opinion?.

No source code, no approaches, no lessons learnt, just questions and requests for people to do things to make your issuance work

I saw two fairly demanding requests to @leader - his code is open source. If you don’t have time to learn perl or powershell why should others implement features/documentation etc. https://github.com/do-know/Crypt-LE

Just a small observation!!

Andrei

@ahaw021 Wow. I have never been rude or unprofessional in ANY of my forum posts, no need for you to be. You should be setting a better example for those of us who know much less about this topic, which is almost everyone who posts questions.

I have ALWAYS asked politely and never pestered or complained if I didn’t get an answer from anyone because I understand that this is free software done by volunteers on their own time. I have actually answered other questions and explained what I did wrong and how I fixed it and have contributed to this community in the ways that I felt I could. Not everyone can just drop their jobs or take a few weeks to learn a new programming language and then work on open-source software. And, be honest, would anyone even accept the resulting code??

In fact, you may have done a big disservice to this community by responding to my simple questions this way, since the chilling effect of your response may very well prevent someone from asking their “silly” questions, thinking that they will have to learn programming and contribute code in order to get any help, and they may just decide not to implement SSL at all. Or they will use a commercial service and just spend the money to avoid this hassle, with possible social media bad-mouthing of this community. And I wouldn’t blame them.

Just my small observation!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.