NET::ERR_CERT_DATE_INVALID event after renewal


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.walk-my.pet

I ran this command: certbot renew

It produced this output:

My web server is (include version): JBOSS Wildfly 13

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: alibaba

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.25.1


#2

More info:

image

I did server reboot after renewal.
Following site shows the issue: https://www.ssllabs.com/ssltest/analyze.html?d=www.walk-my.pet


#3

Hi @vovkind

you don’t use the new certificate:

CN=www.walk-my.pet
	21.11.2018
	19.02.2019
2 days expired	walk-my.pet, www.walk-my.pet - 2 entries

Try

certbot -d walk-my.pet -d www.walk-my.pet

certbot should find your certificate and should ask, if you want to install that certificate.


#4

If you have your JBoss server directly terminating TLS, then you may have imported the previous certificate by converting it to a different format (thinking of other Java-based web servers which often don’t understand PEM format directly). In that case, the process would need to be repeated every time you renew the certificate in order for the JBoss server to use the new certificate. (If so, you can use a --deploy-hook script with Certbot to automate this step.)


#5

10x for a quick reply. I’m using let’s encrypt certificate and renewed it some 2 weeks ago. Yesterday I got the issue with expired certificate.

Seems like I have a valid certificate, published screenshot in my original post.


#6

More info:

[root@iZgw82uc2opm5jqlzywm7wZ bin]# ls -l /etc/letsencrypt/renewal /etc/letsencrypt/live/*
-rw-r–r-- 1 root root 740 Nov 22 00:27 /etc/letsencrypt/live/README

/etc/letsencrypt/live/www.walk-my.pet:
total 4
-rw-r–r-- 1 root root 692 Nov 22 00:27 README
lrwxrwxrwx 1 root root 39 Feb 2 16:21 cert.pem -> …/…/archive/www.walk-my.pet/cert2.pem
lrwxrwxrwx 1 root root 40 Feb 2 16:21 chain.pem -> …/…/archive/www.walk-my.pet/chain2.pem
lrwxrwxrwx 1 root root 44 Feb 2 16:21 fullchain.pem -> …/…/archive/www.walk-my.pet/fullchain2.pem
lrwxrwxrwx 1 root root 42 Feb 2 16:21 privkey.pem -> …/…/archive/www.walk-my.pet/privkey2.pem

/etc/letsencrypt/renewal:
total 4
-rw-r–r-- 1 root root 689 Feb 2 16:21 www.walk-my.pet.conf


#7

What’t the content of this file?


#8

renew_before_expiry = 30 days

version = 0.25.1

archive_dir = /etc/letsencrypt/archive/www.walk-my.pet

cert = /etc/letsencrypt/live/www.walk-my.pet/cert.pem

privkey = /etc/letsencrypt/live/www.walk-my.pet/privkey.pem

chain = /etc/letsencrypt/live/www.walk-my.pet/chain.pem

fullchain = /etc/letsencrypt/live/www.walk-my.pet/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = webroot

account = MY_ACCOUNT_NUMBER

server = https://acme-v02.api.letsencrypt.org/directory

installer = None

[[webroot_map]]

walk-my.pet = /root/SOME_SERVER_FOLDER

www.walk-my.pet = /root/SOME_SERVER_FOLDER


#9

You don’t have an installer.

So how did you installed the certificate?


#10

Manually. As described in tutorial.

Is this root cause? How to fix it?
10x a lot for your help!


#11

Yes, every renewal is a new certificate which must be reimported into your web server in the same way as the original was imported. I don’t think a tutorial that omits this information is very helpful!

You can write a script to automate the process and then specify it to Certbot with --deploy-hook; after this, the script will be run automatically every time Certbot performs a renewal.


#12

Which tutorial?


#13

Delete certs (certbot delete) and importing everything from scratch (keys, adding certs via certbot certonly) was working for me.

thank you, guys.


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.