NET::ERR_CERT_DATE_INVALID event after renewal

vovkind · February 21, 2019, 5:23pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.walk-my.pet

I ran this command: certbot renew

It produced this output:

My web server is (include version): JBOSS Wildfly 13

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: alibaba

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.25.1

vovkind · February 21, 2019, 5:25pm

More info:

I did server reboot after renewal.
Following site shows the issue: https://www.ssllabs.com/ssltest/analyze.html?d=www.walk-my.pet

JuergenAuer · February 21, 2019, 6:16pm

Hi @vovkind

you don't use the new certificate:

CN=www.walk-my.pet
	21.11.2018
	19.02.2019
2 days expired	walk-my.pet, www.walk-my.pet - 2 entries

Try

certbot -d walk-my.pet -d www.walk-my.pet

certbot should find your certificate and should ask, if you want to install that certificate.

schoen · February 21, 2019, 6:23pm

If you have your JBoss server directly terminating TLS, then you may have imported the previous certificate by converting it to a different format (thinking of other Java-based web servers which often don’t understand PEM format directly). In that case, the process would need to be repeated every time you renew the certificate in order for the JBoss server to use the new certificate. (If so, you can use a --deploy-hook script with Certbot to automate this step.)

vovkind · February 21, 2019, 7:26pm

10x for a quick reply. I’m using let’s encrypt certificate and renewed it some 2 weeks ago. Yesterday I got the issue with expired certificate.

Seems like I have a valid certificate, published screenshot in my original post.

vovkind · February 21, 2019, 7:38pm

More info:

[root@iZgw82uc2opm5jqlzywm7wZ bin]# ls -l /etc/letsencrypt/renewal /etc/letsencrypt/live/*
-rw-r–r-- 1 root root 740 Nov 22 00:27 /etc/letsencrypt/live/README

/etc/letsencrypt/live/www.walk-my.pet:
total 4
-rw-r–r-- 1 root root 692 Nov 22 00:27 README
lrwxrwxrwx 1 root root 39 Feb 2 16:21 cert.pem -> …/…/archive/www.walk-my.pet/cert2.pem
lrwxrwxrwx 1 root root 40 Feb 2 16:21 chain.pem -> …/…/archive/www.walk-my.pet/chain2.pem
lrwxrwxrwx 1 root root 44 Feb 2 16:21 fullchain.pem -> …/…/archive/www.walk-my.pet/fullchain2.pem
lrwxrwxrwx 1 root root 42 Feb 2 16:21 privkey.pem -> …/…/archive/www.walk-my.pet/privkey2.pem

/etc/letsencrypt/renewal:
total 4
-rw-r–r-- 1 root root 689 Feb 2 16:21 www.walk-my.pet.conf

JuergenAuer · February 21, 2019, 7:54pm

What't the content of this file?

vovkind · February 21, 2019, 8:14pm

renew_before_expiry = 30 days

version = 0.25.1

archive_dir = /etc/letsencrypt/archive/www.walk-my.pet

cert = /etc/letsencrypt/live/www.walk-my.pet/cert.pem

privkey = /etc/letsencrypt/live/www.walk-my.pet/privkey.pem

chain = /etc/letsencrypt/live/www.walk-my.pet/chain.pem

fullchain = /etc/letsencrypt/live/www.walk-my.pet/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = webroot

account = MY_ACCOUNT_NUMBER

server = https://acme-v02.api.letsencrypt.org/directory

installer = None

[[webroot_map]]

walk-my.pet = /root/SOME_SERVER_FOLDER

www.walk-my.pet = /root/SOME_SERVER_FOLDER

JuergenAuer · February 21, 2019, 8:15pm

You don't have an installer.

So how did you installed the certificate?

vovkind · February 21, 2019, 8:44pm

Manually. As described in tutorial.

Is this root cause? How to fix it?
10x a lot for your help!

schoen · February 21, 2019, 9:03pm

Yes, every renewal is a new certificate which must be reimported into your web server in the same way as the original was imported. I don’t think a tutorial that omits this information is very helpful!

You can write a script to automate the process and then specify it to Certbot with --deploy-hook; after this, the script will be run automatically every time Certbot performs a renewal.

rg305 · February 22, 2019, 1:36am

Which tutorial?

vovkind · February 22, 2019, 8:18am

Delete certs (certbot delete) and importing everything from scratch (keys, adding certs via certbot certonly) was working for me.

thank you, guys.

system · March 24, 2019, 8:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
NET::ERR_CERT_DATE_INVALID but no renewal errors in log Help	3	1623	January 8, 2018
Error renewing certificate Help	11	445	June 26, 2022
Certificate error (date invalid) Help	34	663	November 12, 2023
Error to renew [NET::ERR_CERT_DATE_INVALID] Help	8	638	April 17, 2021
Renew certificate error Help	4	587	June 10, 2019

NET::ERR_CERT_DATE_INVALID event after renewal

renew_before_expiry = 30 days

Options used in the renewal process

Related topics