My certificate will expire 8 days. But it is still updated week ago

Hello!

I got email that my xxx website certificate will expire in 8 days.

I wonder why? because I look those cert3.pem files and other *.pem files and those
are marked to updated in jul 27.

Does those archive files cert1.pem, cert2.pem and other confuse automatic check??
beause it uses currently cert3.pem (as you can see below)??

I got many other sites from letsencrypt service and those
work ok! But with one difference those websites does no have those
cert1.pem, cert2.pem etc. but only one cert1.pem where they are linked.

I test the xxx address with these command

ssl-cert-check -c /etc/letsencrypt/live/xxx/cert.pem

and it gives this answer:
FILE:/etc/letsencrypt/live/xxx/cert.pem Valid Oct 25 2016 78

So everything should be ok! or not?? (that’s I want to know) The letsencrypt automatic check
does not work everycases ? Is this so?

Here file list from the problematic xxx website

/etc/letsencrypt/live/xxx

lrwxrwxrwx 1 root root 49 jul 27 12:25 cert.pem -> …/…/archive/xxx/cert3.pem
lrwxrwxrwx 1 root root 50 jul 27 12:25 chain.pem -> …/…/archive/xxx/chain3.pem
lrwxrwxrwx 1 root root 54 jul 27 12:25 fullchain.pem -> …/…/archive/xxx/fullchain3.pem
lrwxrwxrwx 1 root root 52 jul 27 12:25 privkey.pem -> …/…/archive/xxx/privkey3.pem

/etc/letsencrypt/archive/xxx/

-rw-r–r-- 1 root root 1826 may 16 10:57 cert1.pem
-rw-r–r-- 1 root root 1866 may 17 12:00 cert2.pem
-rw-r–r-- 1 root root 1866 jul 27 12:25 cert3.pem
-rw-r–r-- 1 root root 1647 may 16 10:57 chain1.pem
-rw-r–r-- 1 root root 1647 may 17 12:00 chain2.pem
-rw-r–r-- 1 root root 1647 jul 27 12:25 chain3.pem
-rw-r–r-- 1 root root 3473 may 16 10:57 fullchain1.pem
-rw-r–r-- 1 root root 3513 may 17 12:00 fullchain2.pem
-rw-r–r-- 1 root root 3513 jul 27 12:25 fullchain3.pem
-rw-r–r-- 1 root root 1704 may 16 10:57 privkey1.pem
-rw-r–r-- 1 root root 1708 may 17 12:00 privkey2.pem
-rw-r–r-- 1 root root 1704 jul 27 12:25 privkey3.pem

Yours, Timo

Are you sure the email is about THAT certificate? I thought I had the same issue but then I remembered that when I first requested a certificate I had forgotten a specific SAN. I corrected my mistake by requesting a new certificate including that SAN. The new certificate is automatically being updated by a CRON job and that works fine.

I first thought that the email was about the last, updating certificate. On closer inspection however the email is about the first certificate that I indeed do not update as I do not need it.

Regards,

Wesley

1 Like

Hi @timo,

Like @webbes mentioned frequently there can be confusion around which certificate you are being warned about vs which you have checked for renewal.

Can you share the domain name(s) you received the expiration warning email for? That’s the piece of information I would need to investigate whether you received the warning in error or if there is another explanation.

Hello!

The domain dame is: eco-toimistotarvikkeet.fi
email say it will expire (on 14 Aug 16 06:57 +0000).

So I want to know is this really expire 14 Aug or not?

Yours, Timo

The email is about the cert that does not include www. Your site is currently using one that does include www. that expires on the 25th of October.

1 Like

Hello!

I’m new worker here. What should I do that eco-toimistotarvikkeet.fi
without www does not expire 14 Aug.

Yours, Timo

Nothing, it looks like that cert is no longer in use so it can just be left to expire.

We use address: https://eco-toimistotarvikkeet.fi
without www and if user write address with www
it redirects to https://eco-toimistotarvikkeet.fi

So does 14 Aug expire cert (eco-toimistotarvikkeet.fi) cause any problem?

Yours Timo

No, with that cert the redirect wouldn’t have worked, which would have been why it was replaced by the other cert.

Now I got new problem how to fix it?

“Common names static.eco-toimistotarvikkeet.fi MISMATCH”

Where folder to go to fix it?

The page does not show??

Yours Timo

I just run ./certbot-auto and there get new certificate?

Then it the page does not work

yours Timo

eco_error.log

[Mon Aug 08 22:03:49.434465 2016] [ssl:error] [pid 16438] AH02032: Hostname 178.63.3.78 provided via SNI and hostname eco-toimistotarvikkeet.fi provided via HTTP are different
[Tue Aug 09 13:56:43.980148 2016] [ssl:warn] [pid 9724] AH01909: RSA certificate configured for eco-toimistotarvikkeet.fi:443 does NOT include an ID which matches the server name
[Tue Aug 09 15:06:55.269446 2016] [ssl:error] [pid 30235] [client 64.41.200.106:41306] AH02042: rejecting client initiated renegotiation
[Tue Aug 09 15:10:08.520979 2016] [ssl:error] [pid 30351] [client 64.41.200.106:53900] AH02042: rejecting client initiated renegotiation

This error.

Yours Timo

Help me please !

I do not know where to find the solution?

Yours Timo

HI Timo,

What did you try changing ?

Your certificate was working correctly for eco-toimistotarvikkeet.fi (from everything above) but now the certificate is valid for static.eco-toimistotarvikkeet.fi

If you check your apache config, it will be pointing to use the static.eco-toimistotarvikkeet.fi certificate (one I assume you just created, I haven’t checked ), rather than the correct certificate for eco-toimistotarvikkeet.fi

Hello!

Where Apache config file ?

Sites-enabled or where i find that file??

Thank you all!

I use backup files and change everything that I mistake changed. Now it works!!!

So I just want to know does eco-toimistotarvikkeet.fi works after 14 Aug
That question I do no get answer yet… so we have redirection



Goes all to https://eco-toimistotarvikkeet.fi

So does all that works after 14 Aug ?

Yours Timo

As has been answered above, yes https://eco-toimistotarvikkeet.fi will continue to work after the 14th August

The confusion may be because it has also been stated that, strictly, you should be using a valid certificate for www.eco-toimistotarvikkeet.fi (even though it is only a redirect ) … and you currently aren’t, you are using the cert for eco-toimistotarvikkeet.fi (which expires on 25 Oct).

Thank you! for your help and answers!

Everything is allright now!

Yours timo

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.