I still can not access my web after renewing cer successfully


#1

After I renewed cer successfully , I still can not access my website , it comes out an error :
Connecting to www.folkcam.com (www.folkcam.com)|xx.xx.xx.xxx|:443… connected.
ERROR: cannot verify www.folkcam.com’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
Issued certificate has expired.

this cer expired today , because server cron job did not work , so I ran command manually to update the cer , but even I it executed successfully , my website still reports “Issued certificate has expired” . Please help !

My domain is:
folkcam.com
I ran this command:
/usr/local/certbot-auto renew
It produced this output:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.folkcam.com
Waiting for verification…
Cleaning up challenges


Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.folkcam.com/fullchain.pem (success)
My web server is (include version):
apache 8.5
The operating system my web server runs on is (include version):
Linux 4.14.62-65.117.amzn1.x86_64 #1 SMP Fri Aug 10 20:03:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I can login to a root shell on my machine (yes or no, or I don’t know):yes


#2

You need to check your Apache Tomcat configuration.

Most likely you have a setup that requires you to convert the certificate from its Certbot format to a PFX format for Tomcat to use, and then restart Tomcat.

The person who set this up initially should know what your setup is.


#3

hi,I has converted the cer format when I initial the setting ,it ran well for past 3 mouths , today I found it expired ,so I ran /usr/local/certbot-auto renew to update it . I don’t know if the format could change or not after I updated the cer , what do you think? and I just checked cron log , it also ran successfully , but the cer just could not be updated correctly .


#4

When Certbot renewed your certificate, it created an entirely new certificate.

Since Tomcat doesn’t know how to use the certificate created by Certbot, you need to perform the conversion again.

Typically users create renewal hooks to perform this task automatically for them.


#5

You are absolutely right ! I converted the new generated cer files to the one that tomcat can identify , and it works ! Have a nice day , thanks !


#6

Hi @oneofusers

your www - version of your website works. But your certificate has only the www-domain name, so your non-www version doesn’t work.


Domainname Http-Status redirect Sec. G
http://folkcam.com/
52.14.53.101 302 https://folkcam.com/ 0.230 A
http://www.folkcam.com/
52.14.53.101 302 https://www.folkcam.com/ 0.230 A
https://folkcam.com/
52.14.53.101 200 3.286 N
Certificate error: RemoteCertificateNameMismatch
https://www.folkcam.com/
52.14.53.101 200 2.217 B

Your Certificate:

CN=www.folkcam.com
24.12.2018
24.03.2019
www.folkcam.com - 1 entry

Create one certificate with two domain names: www.folkcam.com + folkcam.com and use that.

Then both versions of your website are secure.


#7

Hi JuergenAuer,

Thanks for your reply, actually, we only use www.folkcam.com for our website , folkcam.com is not being used for now in this case , may I ask , is there any reason I have to configure folkcam.com to the certificate ? If I don’t do that , does it have influence with the security or accessibility to my website ?


#8

Your users don’t know that. And if users want to go to a website, they may not type the www, instead, they write only folkcam.com

Then they get an error, “the page is unsecure”. This is always bad.


#9

@JuergenAuer Merry X’mas,
OK , I got it .


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.