NET::ERR_CERT_DATE_INVALID Error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eyeonjewels.com

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Previously I used rapid ssl cerificate. Aftet it expired I moved to lets encrypt free ssl and installed on my server. But site uses still old ssl certificated after couple of refreshes taking new ssl certificate and resources(css, images, scripts) are not loading gives NET::ERR_CERT_DATE_INVALID error.

Please help.

Hi @Sankar

you have created two Letsencrypt certificates ( https://check-your-website.server-daten.de/?q=eyeonjewels.com ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-07-15 2019-10-13 eyeonjewels.com, www.eyeonjewels.com - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-07-12 2019-10-10 eyeonjewels.com, www.eyeonjewels.com - 2 entries duplicate nr. 1

So that part works.

But you use a Letsencrypt and the expired RapidSSL: Looks like you have too much vHosts.

What says

apachectl -S

It is odd that Apache would randomly serve up different certificates on different requests for the same domain.

I think one of two theories are likely.

First is that Apache has screwed up and has half the workers on old configuration, and half on new. I have seen this happen in the past. In that case, do a hard restart of Apache:

service apache2 stop
killall -9 apache2
service apache2 start

The other theory is that (somehow) it is doing a round-robin between duplicate virtual hosts, as @JuergenAuer suggests. In that case, please additionally show the output of:

grep -Ri SSLCertificateFile /etc/apache2
1 Like

apchectl -S
gives following details:

VirtualHost configuration:
*:80 159.65.73.125 (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 eyeonjewels.com (/etc/apache2/sites-enabled/000-default.conf:44)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

grep Results

/etc/apache2/sites-enabled/000-default.conf:SSLCertificateFile /etc/apache2/ssl/jun/certificate.crt

/etc/apache2/sites-available/000-default.conf:SSLCertificateFile /etc/apache2/ssl/jun/certificate.crt

How about this one:

ls -lah /etc/apache2/ssl/jun/certificate.crt
openssl x509 -in /etc/apache2/ssl/jun/certificate.crt -noout -issuer -dates

You don’t have a port 80 vHost with your domain name.

So Certbot may have created a wrong vHost.

Sometimes it happens there are orphaned Apache processes. A hard reboot should remove these processes.

And share the content of

/etc/apache2/sites-enabled/000-default.conf

Result for 1st cmd
-rw-r–r-- 1 root root 1.9K Jul 14 23:23 /etc/apache2/ssl/jun/certificate.crt

2nd cmd
issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
notBefore=Jul 12 11:29:03 2019 GMT
notAfter=Oct 10 11:29:03 2019 GMT

000-default.conf details:

<VirtualHost *:80>

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/
<Directory "/var/www/html">
	AllowOverride All 
</Directory>
<Directory "/var/www/html/">
	AllowOverride All 
</Directory>
<Directory />
	Options Indexes FollowSymLinks
	AllowOverride all
	Require all granted
</Directory>


ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/jun/certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/jun/private.key
SSLCertificateChainFile /etc/apache2/ssl/jun/ca_bundle.crt
ServerAdmin webmaster@eyeonjewels.com
DocumentRoot /var/www/html/
ServerName eyeonjewels.com

<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>

</VirtualHost>

Have you tried doing the hard restart (including orphaned processes) of apache2 as I suggested in the earlier post? I’d be curious to see whether killing off all the processes makes any difference.

Not tried. Is this effect on server settings or data?

pidof apche2
gives following result: Which one I have to kill
32452 24809 24808 24805 24462 24461 24460 24318 24018 24017 23665 23563 23559 22816 22761 22759 22710 22709 22694 18599 14066 1738

How can I remove other duplicate certificate.

Stop the sysvinit/systemd apache service, and then also kill any of the remaining processes after that.

I would like for you to have your server in a state where zero apache2 processes are running.

Then start apache2.

That’s not required. And you can’t remove entries from CT-logs.

Read

Certificate created -> logged -> visible.

Issue reslolved. Thank you sooooooooo much. You saved my day. :slight_smile:

1 Like

Ok. Thx. Issue fixed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.