Need help with expired certificate renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: essens.team, *essens.team

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Heroku

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No (heroku-cli)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.3.0

Hi @modreoci

checking your domain you have a 65 days expired wildcard certificate - https://check-your-website.server-daten.de/?q=essens.team

CN=essens.team
	15.11.2019
	13.02.2020
65 days expired	*.essens.team, essens.team - 2 entries

So you must use dns validation, if you want to renew that certificate.

I don't know if Heroku supports dns validation. Check that.

Mhmmm… I’m not so skilled, I don’t know what I have to ask him.
In their documentation is no mention about DNS validation. There are [Automated Certificate Management (ACM)], which I can’t apply due to limitation to non-wildcards domains. Originally I made SSL cert for my domain by this article https://devcenter.heroku.com/articles/ssl and it is properly installed. The only thing which is not functioning is certification expiry. I don’t know what I’ve to do now.

curl -vI https://essens.team
* Trying 54.171.46.223:443…
* Connected to essens.team (54.171.46.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired

openssl s_client -connect safe-journey-00grc9dtavxb2lbh0hlo4ot3.herokudns.com:443 -servername essens.team
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = essens.team
verify error:num=10:certificate has expired
notAfter=Feb 13 01:25:37 2020 GMT
verify return:1
depth=0 CN = essens.team
notAfter=Feb 13 01:25:37 2020 GMT
verify return:1
—
Certificate chain
0 s:CN = essens.team
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
—
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXDCCBESgAwIBAgISA8f1CiMRv29rtYJ4A7KJccEaMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTExMTUwMTI1MzdaFw0y
MDAyMTMwMTI1MzdaMBYxFDASBgNVBAMTC2Vzc2Vucy50ZWFtMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Y3j2kxr4QWvm5VQAWRrlCzgHI2rWvEqe04T
CnPMdhL6UV64rOM6PuaNc7Jfuxpfr9BqAxO3BbOe8jGfcxo2w3t55L89dL5aDhtR
ar4isnB0ZkON5gtUtQ7uqvrO6J5lTGnGBi2xaVkPZ5CiNX9a/elvgFUjI27NrOxO
sxkTa+Zmm4i2Hmo6hf/D67e1NpWmRzdU8fQz0jzxxCchN6hTHrvGwg6kD7y+SQiZ
usWkfCxyjVSSBkA1kymtr3VzQRmLhEb/ElpSqBLQ6e44PVBomSRZW9Lbkt0ElpWC
tH9ceIv5xqNsme3BAJJVjxwN+gh9WTZpGDTGA1/nsCJy7DiD7QIDAQABo4ICbjCC
AmowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRpU+K+HXcmTzOua/RQbSzQ6Lr3jzAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCDSouZXNzZW5zLnRlYW2CC2Vzc2Vucy50ZWFtMEwGA1UdIARF
MEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6
Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYA
sh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFubOFYrAAABAMARzBF
AiEA5KBV8Cf5ZqJZ7xYYDoldCLmoIOSifBVIqQQ76XxScsMCIG16lu7jltduyVaA
JmiUcuHEvI/kN0RpDjsKrWwEehvbAHUAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIS
hBh1loFxRVgAAAFubOFYvQAABAMARjBEAiBJgimYaEy0Ss8o3bEulSlXQwuQkYu7
piewsxnV1qyLWgIgVnJRj2EUYW/1yGIcUkBYPhv3In3wy2pWQCmtrh3e4YQwDQYJ
KoZIhvcNAQELBQADggEBAAHEyQAH4jASjg7RjbFmHNPF667deS1lnQVypfUt81/P
jy+cXMV5SAO04YYYzQj9r/JrLPdo0on/5dXr2xmW090+O0yWM56f7wVyQOg6cwls
1TaMzPewbZlz1TjYeFVgSi/6+u5bDTFb6peXN/dHR87mT0k8tsWVg/wU9HQVpqAg
NifaqSJab1DALvQeT0mQ4p79IiAT6Ejl8gn/CEpZoSx8qStFGuQ4ia/XLesT/Q3s
QoiDfipoyr6kss9dAgyy2Lwbpluq7tlc5OL4w1ZGeLUww3Vo1KjnJ/TZwTrF4JND
Iaioe5DtObe/kRgHcus42ODZbLATIsDVOxExzs44dHY=
-----END CERTIFICATE-----
subject=CN = essens.team

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3058 bytes and written 439 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FB9DDB6AC15E8E27D420779FB751C712E97DDB95F63AC0E82E6F4BB89B146298
    Session-ID-ctx: 
    Master-Key: 92B097A26B68081984B44E0E2B60692DF5C4DE8639AD1AA82BFAB2C9B1A69203E70C35ECE7259A99AC1CCC0AD5DEB5D4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1587216062
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---
read:errno=0

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.