Net::err_cert_date_invalid

Help
1

I checked here


use : ubuntu 18.04 server
apache2
certbot --version
certbot 0.31.0
where is the problem ?

curl -I https://tvde.go.ro
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes
2

Hi @ctinleonard

you have older certificates. So your renew didn't work.

Your answers of the template questions are required.

2 Likes
3

Complete certificate history:


Screenshot_20201011-070905_Samsung Internet
Screenshot_20201011-070905_Samsung Internet1253×533 352 KB
1 Like
4

yes


I can't renew the certificate
I use ubuntu server 18.04
domain : tvde.go.ro
version certbot 0.31.0
apache2
do I need more information?
2 Likes
5

What is the complete certbot command you used?

What was the complete output of that command?

Do you have root access to your webserver?

2 Likes
6

certbot renew --dry-run
i m root

1 Like
7

Do you still have the output?

8

`'''certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/tvde.go.ro.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tvde.go.ro
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (tvde.go.ro) from /etc/letsencrypt/renewal/tvde.go.ro.conf produced an unexpected error: Failed authorization procedure. tvde.go.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tvde.go.ro/.well-known/acme-challenge/8HCU9ene-sKjuE6CKaHpJ8UKkj297dZBSBNjUsx5xVs [5.14.237.217]: "\n\n400 Bad Request\n\n

Bad Request</h1". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

2 Likes
9

Please do us a favor and edit your last post to add three backticks (```) on the lines above and below the output to make it clear to read.

The backticks need to be on separate lines by themselves.

They need to be backticks ` not quotes '

No worries though. It's just a nicety. We can work with what you've posted. Configuration files are more difficult to see without the backticks.

2 Likes
10

Cleaning up challenges
Attempting to renew cert (tvde.go.ro) from /etc/letsencrypt/renewal/tvde.go.ro.conf produced an unexpected error: Failed authorization procedure. tvde.go.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tvde.go.ro/.well-known/acme-challenge/mx4PfNnsu9urp9i9iaXpT0JTzkypsPCk8wkdGJfyTCQ [5.14.237.217]: "\n\n400 Bad Request\n\n

Bad Request</h1". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (failure)

here I think is the problem

1 Like
11

Here is the problem. :slightly_smiling_face:

Your port 80 is configured to use HTTPS (TLS/SSL) instead of HTTP, which definitely won't work.

Screenshot_20201011-072443_Samsung Internet
Screenshot_20201011-072443_Samsung Internet756×173 59 KB

What says apachectl -S ?

2 Likes
12

Is this

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
tvde.go.ro A 5.14.237.217 Calarasi/Romania (RO) - RCS & RDS SA Hostname: 5-14-237-217.residential.rdsnet.ro yes 1 0
AAAA yes

a home server?

You may have a wrong port redirect

port 80 extern -> port 443 intern.

Port 80 extern -> http port intern is required.

3 Likes
13

apachectl -S
VirtualHost configuration:
*:80 tvde.go.ro (/etc/apache2/sites-enabled/nextcloud.conf:1)
*:8080 tvde.go.ro (/etc/apache2/sites-enabled/tvnl.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like
14

Thanks for that. :slightly_smiling_face:

What contains /etc/apache2/sites-enabled/nextcloud.conf ?

1 Like
15

Your port 8080 is a https port, same with your port 80.

So check your port redirects, looks these are wrong.

2 Likes
16

root@tvde:/home# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/tvde.go.ro.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

apachectl -S
VirtualHost configuration:
*:443 tvde.go.ro (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:2)
*:80 tvde.go.ro (/etc/apache2/sites-enabled/001-nextcloud.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG

it is not renewed
https://crt.sh/?q=tvde.go.ro

Remote Address

Use Current IP

Port Number

Open Port 80 is open on tvde.go.ro.

Remote Address

Use Current IP

Port Number

Open Port 443 is open on tvde.go.ro.

2 Likes
17

That's expected.

Please check

https://certbot.eff.org/docs/using.html

dry-run creates only a test certificate. So remove that parameter if you want to create a real certificate.

2 Likes
18

--dry-run creates no certificate - it only simulates the process (a test run).
[--staging creates a FAKE certificate]

dry run should have been called test run IMHO

1 Like
19

Really?

The doc:

--dry-run Perform a test run of the client, obtaining test
(invalid) certificates but not saving them to disk.

Didn't checked it, but without uploading a CSR the check would be incomplete.

Sounds like a test certificate is ordered (may be downloaded), but not saved.

3 Likes
20

I guess it does both then.
But the user experience is that none is left behind for use.

2 Likes