Letsencrypt ca cert expired, but renew not allowed


#1

Please fill out the fields below so we can help you better.

My domain is: kw-m1.orchit-dev.de

I ran this command: letsencrypt renew

It produced this output:
Processing /etc/letsencrypt/renewal/kw-m1.orchit-dev.de.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/kw-m1.orchit-dev.de/fullchain.pem (skipped)
No renewals were attempted.

My operating system is (include version): Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

According to:
https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fkw-m1.orchit-dev.de%3A8443
The ca certificate expired 5 days ago, but I can’t renew the cert and it looks like there is no “force” option in the CLI.


#2

The certificate appears to have been renewed March 25, so it makes sense Certbot doesn’t want to do anything.

https://crt.sh/?id=108598311

(Unless that certificate is stored elsewhere.)

What web server is being used? How is it configured? Is it configured to use the correct certificate at the correct path? (/etc/letsencrypt/live/kw-m1.orchit-dev.de/.) Has it been reloaded or restarted since the certificate was renewed? Does it need to be?

Does “certbot certificates” or “sudo openssl x509 -in /etc/letsencrypt/live/kw-m1.orchit-dev.de/cert.pem -noout -text” show the certificate issued in January, or the one issued in March?


#3

By the way, a typical Certbot setup would have started trying to renew the certificate around March 16 (30 days before expiration). Yours seemingly either didn’t try, or tried but didn’t succeed, until March 25.

You should make sure there’s a cron job or equivalent (systemd timer?) to run “certbot renew” 1-2 times a day (it will exit without doing anything if no certificates need to be renewed), and check /var/log/letsencrypt to see if and why it was failing.


#4

Well, the cert is valid, just the CA cert is expired :frowning:


#5

What do you mean by the CA certificate?

The end-entity certificate for kw-m1.orchit-dev.de currently being used by that server is expired.

Certbot seems to be managing a different, valid certificate, but the web server isn’t using it for some reason.

The root CA and Let’s Encrypt intermediates haven’t expired, and won’t for years to come.


#6

OMG, you’re right. I have misread that. Well my lame excuse is that due to the flu I didn’t sleep at all :wink:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.