Install certbox ok but certificate expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ifp.ioc.cat

I ran this command:
sudo certbot --apache

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ifp.ioc.cat/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ifp.ioc.cat/privkey.pem
    Your cert will expire on 2019-08-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/000-default.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/apache2/sites-available/000-default-le-ssl.conf because they
    have the potential to create redirection loops.

My web server is (include version):

The operating system my web server runs on is (include version):
debian 9 skecth
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

But when I run:
https://www.ssllabs.com/ssltest/analyze.html?d=ifp.ioc.cat
my domain is insecure because de certificate is expired:

ifp.ioc.cat
Fingerprint SHA256: 8bb784c047abfcccc8b1e50893685405ae8509ff67cd9486c06f3eec15b126c7
Pin SHA256: EFuRsTTV7dBX19k8LmxYq8NQu7QrO7g/KjbyCwI9zf8=

Common names
ifp.ioc.cat
Alternative names
ifp.ioc.cat
Serial Number
03efd7063d1c5718ec07a5b163f9c58c864e
Valid from
Tue, 15 May 2018 06:43:03 UTC
Valid until
Mon, 13 Aug 2018 06:43:03 UTC (expired 9 months and 5 days ago) EXPIRED
Key
RSA 2048 bits (e 65537)

Hi @mlozan54

you have created 4 identical certificates ( https://check-your-website.server-daten.de/?q=ifp.ioc.cat ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1485840446 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-18 15:53:06 2019-08-16 15:53:06 ifp.ioc.cat
1 entries duplicate nr. 4
1485642879 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-18 14:41:25 2019-08-16 14:41:25 ifp.ioc.cat
1 entries duplicate nr. 3
1484639797 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-18 08:10:32 2019-08-16 08:10:32 ifp.ioc.cat
1 entries duplicate nr. 2
1481914225 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-17 15:22:46 2019-08-15 15:22:46 ifp.ioc.cat
1 entries duplicate nr. 1
463375190 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-05-15 04:43:03 2018-08-13 04:43:03 ifp.ioc.cat
1 entries

But the certificate you use is one year old and expired.

Perhaps you have created that certificate with certonly, so it's not installed. Or you have a fatal --force-renew in your renew configuration file, only --renew doesn't produce such a result.

There is a limit, you can create max. 5 identical certificates per week.

What says

certbot certificates
apachectl configtest
apachectl fullstatus
apachectl -S

Hi JuergenAuer.

Thank you very much for your response.
I have created these certificates by error, and now I don’t know how to delete they. I don’t need 5 certficates, I only need a valid certificate (not expired) and I would like delete others.

The info that you request:
certbot certificates
root@ifp:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ifp.ioc.cat
    Domains: ifp.ioc.cat
    Expiry Date: 2019-08-16 17:53:06+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/ifp.ioc.cat/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ifp.ioc.cat/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

apachectl configtest
root@ifp:~# apachectl configtest
Syntax OK

apachectl fullstatus
root@ifp:~# apachectl fullstatus
Apache Server Status for localhost (via ::1)

Server Version: Apache/2.4.25 (Debian) mod_jk/1.2.46 OpenSSL/1.0.2r
Server MPM: prefork
Server Built: 2019-04-02T19:05:13

-------------------------------------------------------------------------------

Current Time: Sunday, 19-May-2019 09:27:31 CEST
Restart Time: Saturday, 18-May-2019 20:52:58 CEST
Parent Server Config. Generation: 5
Parent Server MPM Generation: 4
Server uptime: 12 hours 34 minutes 32 seconds
Server load: 1.07 0.49 0.34
Total accesses: 163 - Total Traffic: 8.1 MB
CPU Usage: u.73 s4.04 cu0 cs0 - .0105% CPU load
.0036 requests/sec - 188 B/second - 51.0 kB/request
1 requests currently being processed, 9 idle workers

________..._..W.................................................
................................................................
......................

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv   PID   Acc  M CPU   SS  Req Conn Child Slot    Client     Protocol      VHost                                  Request
0-4  4294  0/1/  _ 0.05 2263 0   0.0  0.00  1.24 192.168.5.110 http/1.1 ifp.ioc.cat:80  GET / HTTP/1.1
           21
1-4  28378 0/1/  _ 0.32 3419 0   0.0  0.00  0.25 192.168.5.110 http/1.1 ifp.ioc.cat:443 HEAD /icons/folder.gif HTTP/1.1
           11
2-4  4296  0/1/  _ 0.05 2263 10  0.0  0.00  0.13 192.168.5.110 http/1.1 ifp.ioc.cat:80  GET /icons/folder.gif HTTP/1.1
           11
3-4  4298  0/1/  _ 0.05 2263 22  0.0  0.00  0.12 192.168.5.110 http/1.1 ifp.ioc.cat:80  GET /icons/blank.gif HTTP/1.1
           11
4-4  4300  0/1/  _ 0.06 2167 0   0.0  0.01  0.21 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET / HTTP/1.1
           17
5-4  28379 0/1/7 _ 0.32 3419 22  0.0  0.00  2.29 192.168.5.110 http/1.1 ifp.ioc.cat:443 HEAD /icons/blank.gif HTTP/1.1
6-4  28380 0/1/5 _ 0.32 3423 0   0.0  0.00  0.08 192.168.5.110 http/1.1 ifp.ioc.cat:80  GET /.well-known/acme-challenge/check-your-website-dot-server-d
7-4  4302  0/1/  _ 0.10 1450 34  0.0  0.00  0.14 ::1           http/1.1 ifp.ioc.cat:80  GET /server-status HTTP/1.0
           13
8-3  -     0/0/5 . 0.02 8799 0   0.0  0.00  0.74 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET /ada/js/login.js HTTP/1.1
9-3  -     0/0/  . 1.15 8799 0   0.0  0.00  0.09 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET / HTTP/1.1
           10
10-3 -     0/0/  . 0.02 8799 907 0.0  0.00  0.23 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET /iocindfpgui/informesgraficsallaulacicle/2018/Semestre1/F_D
           20
11-4 28381 0/1/  _ 0.33 3424 0   0.0  0.01  2.37 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET / HTTP/1.1
           19
12-3 -     0/0/  . 1.63 8799 0   0.0  0.00  0.21 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET / HTTP/1.1
           10
13-3 -     0/0/2 . 0.02 8799 2   0.0  0.00  0.01 192.168.5.110 http/1.1 ifp.ioc.cat:443 GET /ada/img/colorsicon.png HTTP/1.1
14-4 28382 0/1/1 W 0.33 0    0   0.0  0.00  0.00 ::1           http/1.1 ifp.ioc.cat:80  GET /server-status HTTP/1.0

-------------------------------------------------------------------------------

 Srv  Child Server number - generation
 PID  OS process ID
 Acc  Number of accesses this connection / this child / this slot
  M   Mode of operation
 CPU  CPU usage, number of seconds
 SS   Seconds since beginning of most recent request
 Req  Milliseconds required to process most recent request
Conn  Kilobytes transferred this connection
Child Megabytes transferred this child
Slot  Total megabytes transferred this slot

-------------------------------------------------------------------------------
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current entries: 0
subcaches: 32, indexes per subcache: 88
index usage: 0%, cache usage: 0%
total entries stored since starting: 0
total entries replaced since starting: 0
total entries expired since starting: 0
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss
-------------------------------------------------------------------------------

Apache/2.4.25 (Debian) Server at localhost Port 80

apachectl -S
root@ifp:~# apachectl -S
VirtualHost configuration:
*:443 ifp.ioc.cat (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server ifp.ioc.cat (/etc/apache2/sites-enabled/000-default-le-ssl.conf:48)
port 80 namevhost ifp.ioc.cat (/etc/apache2/sites-enabled/000-default-le-ssl.conf:48)
port 80 namevhost ifp.ioc.cat (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

That

looks like two duplicated entries. Every combination of port and ServerName should be unique.

Perhaps use the second, remove the first (not the file, only the content).

A port 80 definition in a ssl-config file isn't good.

Then again

apachectl -S

to see if there is only one row.

Then try

certbot --reinstall -d ifp.ioc.cat

Certbot should find the certificate with the same name and should reinstall it.

Or change the path and file names in that file manual.

Hi.
The expired certificate seems be used yet. Domain ifp.ioc.cat is insecure and I check it in:

I have done these steps:
1) delete duplicate port 80 definition
I have deleted port 80 definition from
/etc/apache2/sites-enabled/000-default-le-ssl.conf:48
and now, it seems port 80 not duplicated
root@ifp:~# apachectl -S
VirtualHost configuration:
*:443 ifp.ioc.cat (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 ifp.ioc.cat (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

2) reinstall
certbot --reinstall -d ifp.ioc.cat
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ifp.ioc.cat

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ifp.ioc.cat
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ifp.ioc.cat/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ifp.ioc.cat/privkey.pem
   Your cert will expire on 2019-08-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

3) Check paths in /etc/apache2/sites-enabled/000-default-le-ssl.conf
I think paths are OK.
This is the content of this file.

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port t$
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        JkMount /manager ajp13_worker
        JkMount /manager/ ajp13_worker
        JkMount /manager/* ajp13_worker
        JkMount /iocindfpgui ajp13_worker
        JkMount /iocindfpgui/ ajp13_worker
        JkMount /iocindfpgui/* ajp13_worker

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

ServerName ifp.ioc.cat
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/ifp.ioc.cat/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ifp.ioc.cat/privkey.pem
</VirtualHost>
</IfModule>

The last check is from

Checked:
19.05.2019 08:30:00   

this morning. Did you restart your server? Then recheck your domain.

I have rebooted my system and it’s insecure yet. I check it again and it’s insecure.

What’s that?

Checking your ip https://check-your-website.server-daten.de/?q=85.192.111.254

There is a

CN=web.ioc.cat
	06.05.2019
	04.08.2019
expires in 77 days	web.ioc.cat - 1 entry

certificate. Is this the correct ip?

And a

Server: Apache/2.2.22 (Debian)

instead of your

Server: Apache/2.4.25 (Debian)

Looks like another server answers.

Or check your config to find all

SSLCertificateFile

to find the expired certificate. Then you know which vHost is used.

I have a virtual machine inside this ip 85.192.11.254

Then your configuration is wrong, so that VM isn’t used.

OK, thanks.
I must to talk with machine administrator.
Thank you very much.

Miguel Lozano

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.