Net::err_cert_date_invalid

I checked here


use : ubuntu 18.04 server
apache2
certbot --version
certbot 0.31.0
where is the problem ?

curl -I https://tvde.go.ro
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Hi @ctinleonard

you have older certificates. So your renew didn't work.

Your answers of the template questions are required.

2 Likes

Complete certificate history:


1 Like

yes


I can't renew the certificate
I use ubuntu server 18.04
domain : tvde.go.ro
version certbot 0.31.0
apache2
do I need more information?
2 Likes

What is the complete certbot command you used?

What was the complete output of that command?

Do you have root access to your webserver?

2 Likes

certbot renew --dry-run
i m root

1 Like

Do you still have the output?

`'''certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/tvde.go.ro.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tvde.go.ro
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (tvde.go.ro) from /etc/letsencrypt/renewal/tvde.go.ro.conf produced an unexpected error: Failed authorization procedure. tvde.go.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tvde.go.ro/.well-known/acme-challenge/8HCU9ene-sKjuE6CKaHpJ8UKkj297dZBSBNjUsx5xVs [5.14.237.217]: "\n\n400 Bad Request\n\n

Bad Request</h1". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

2 Likes

Please do us a favor and edit your last post to add three backticks (```) on the lines above and below the output to make it clear to read.

The backticks need to be on separate lines by themselves.

They need to be backticks ` not quotes '

No worries though. It's just a nicety. We can work with what you've posted. Configuration files are more difficult to see without the backticks.

2 Likes

Cleaning up challenges
Attempting to renew cert (tvde.go.ro) from /etc/letsencrypt/renewal/tvde.go.ro.conf produced an unexpected error: Failed authorization procedure. tvde.go.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tvde.go.ro/.well-known/acme-challenge/mx4PfNnsu9urp9i9iaXpT0JTzkypsPCk8wkdGJfyTCQ [5.14.237.217]: "\n\n400 Bad Request\n\n

Bad Request</h1". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (failure)

here I think is the problem

1 Like

Here is the problem. :slightly_smiling_face:

Your port 80 is configured to use HTTPS (TLS/SSL) instead of HTTP, which definitely won't work.

What says apachectl -S ?

2 Likes

Is this

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
tvde.go.ro A 5.14.237.217 Calarasi/Romania (RO) - RCS & RDS SA Hostname: 5-14-237-217.residential.rdsnet.ro yes 1 0
AAAA yes

a home server?

You may have a wrong port redirect

port 80 extern -> port 443 intern.

Port 80 extern -> http port intern is required.

3 Likes

apachectl -S
VirtualHost configuration:
*:80 tvde.go.ro (/etc/apache2/sites-enabled/nextcloud.conf:1)
*:8080 tvde.go.ro (/etc/apache2/sites-enabled/tvnl.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

Thanks for that. :slightly_smiling_face:

What contains /etc/apache2/sites-enabled/nextcloud.conf ?

1 Like

Your port 8080 is a https port, same with your port 80.

So check your port redirects, looks these are wrong.

2 Likes

root@tvde:/home# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/tvde.go.ro.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem



** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/tvde.go.ro/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


apachectl -S
VirtualHost configuration:
*:443 tvde.go.ro (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:2)
*:80 tvde.go.ro (/etc/apache2/sites-enabled/001-nextcloud.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG

it is not renewed

Remote Address

Use Current IP

Port Number

Open Port 80 is open on tvde.go.ro.

Remote Address

Use Current IP

Port Number

Open Port 443 is open on tvde.go.ro.

2 Likes

That's expected.

Please check

dry-run creates only a test certificate. So remove that parameter if you want to create a real certificate.

2 Likes

--dry-run creates no certificate - it only simulates the process (a test run).
[--staging creates a FAKE certificate]

dry run should have been called test run IMHO

1 Like

Really?

The doc:

--dry-run Perform a test run of the client, obtaining test
(invalid) certificates but not saving them to disk.

Didn't checked it, but without uploading a CSR the check would be incomplete.

Sounds like a test certificate is ordered (may be downloaded), but not saved.

3 Likes

I guess it does both then.
But the user experience is that none is left behind for use.

2 Likes