Net::err_cert_date_invalid

My domain is: https://universtat.ru/

I ran this command: docker-compose logs

It produced this output:

 Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot     |   Domain: universtat.ru
certbot     |   Type:   connection
certbot     |   Detail: Fetching https://universtat/.well-known/acme-challenge/K6x0dxPPHiTt1YweQ1Po48utZr1H8y6dqKtJDYwydU4: Invalid hostname in redirect target, must end in IANA registered TLD
certbot     |
certbot     |   Domain: www.universtat.ru
certbot     |   Type:   connection
certbot     |   Detail: Fetching https://universtat/.well-known/acme-challenge/jdjZk-ynyv08vnQXEyrGlpwgDZnp7eZIcmUKRikYYO4: Invalid hostname in redirect target, must end in IANA registered TLD
certbot     |
certbot     | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot     |
certbot     | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot     | Failed to renew certificate universtat.ru with error: Some challenges have failed.
certbot     |
certbot     | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot     | All renewals failed. The following certificates could not be renewed:
certbot     |   /etc/letsencrypt/live/universtat.ru/fullchain.pem (failure)
certbot     | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot     | 1 renew failure(s), 0 parse failure(s)
certbot     | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: https://handyhost.ru/

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

Hey guys, website worked fine for 3 month or so, but today it throws an error which is in the title, how can I solve this?

Your HTTP to HTTPS redirect is malfunctioning. It's redirecting from universtat.ru to universtat (without the top level domain .ru). (Same goes for the www subdomain.) Please fix your HTTP to HTTPs redirect and try again.

Also note that this malfunctioning redirect would give problems for anyone typing the URL universtat.ru in their address bar, unless they run a plugin such as HTTPS Everywhere.

2 Likes

I think I fixed it, here is my nginx.conf:

upstream backend {
    server backend:8000;
}

server {
    server_name universtat.ru;
    listen 80;
    return 301 https://universtat.ru$request_uri;
}

server {
    server_name universtat.ru;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/universtat.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/universtat.ru/privkey.pem;
    # ssl_certificate и ssl_certificate_key - необ�~Eодим�~Kе �~Aе�~@�~Bи�~Dика�~B�~K
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    client_max_body_size 4G;
    client_body_buffer_size 10M;
    # if ($server_port = 80) { set $https_redirect 1; }
    # if ($host ~ '^www\.') { set $https_redirect 1; }
    # if ($https_redirect = 1) { return 301 https://universtat.ru$request_uri; }

    root /app/dist/;
    index index.html;

    location ~ ^/(secretadmin|api|auth|templates|subscription|payment|payment_confirm) {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # <-
        proxy_set_header Host $http_host;
        proxy_redirect off;

        if (!-f $request_filename) {
            proxy_pass http://backend;
            break;
        }
        # proxy_redirect off;
        # include                 uwsgi_params;
        # uwsgi_param             HTTP_X_FORWARDED_PROTOCOL https;
        # uwsgi_param             UWSGI_SCHEME   $scheme;
        # proxy_pass http://backend;
        # proxy_set_header X-Forwarded-Protocol $scheme;
        # proxy_set_header Host $http_host;
    }

    location / {
        try_files $uri $uri/ @rewrites;
    }

    location @rewrites {
        rewrite ^(.+)$ /index.html last;
    }

    location /static/ {
        root /var/html/;
    }

    location /media/ {
        root /var/html/;
    }

}

Restarted docker-compose, here is the output of the certbot:

certbot     |
certbot     | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot     | Congratulations, all renewals succeeded:
certbot     |   /etc/letsencrypt/live/universtat.ru/fullchain.pem (success)
certbot     | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot     | Saving debug log to /var/log/letsencrypt/letsencrypt.log

Log file:

2021-10-17 15:52:00,470:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-10-17 15:52:00,892:DEBUG:certbot._internal.main:certbot version: 1.20.0
2021-10-17 15:52:00,893:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1514/bin/certbot
2021-10-17 15:52:00,893:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2021-10-17 15:52:00,893:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-10-17 15:52:00,927:DEBUG:certbot._internal.log:Root logging level set at 30
2021-10-17 15:52:00,929:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2021-10-17 15:52:00,943:DEBUG:certbot.plugins.util:Failed to find executable apache2ctl in PATH: /snap/certbot/1514/bin:/snap/certbot/1514/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
2021-10-17 15:52:00,943:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Cannot find Apache executable apache2ctl
Traceback (most recent call last):
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 151, in prepare
    self._initialized.prepare()
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 339, in prepare
    self._verify_exe_availability(self.options.ctl)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 460, in _verify_exe_availability
    raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Cannot find Apache executable apache2ctl
2021-10-17 15:52:01,232:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7ff4ea0718e0>
Prep: True
2021-10-17 15:52:01,234:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7ff4ea0718e0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7ff4ea0718e0>
2021-10-17 15:52:01,234:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2021-10-17 15:52:01,292:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/129110484', new_authzr_uri=None, terms_of_service=None), d4c5a1b06bc337e30cfbe3a20470369a, Meta(creation_dt=datetime.datetime(2021, 7, 2, 20, 56, 7, tzinfo=<UTC>), creation_host='amaximq.example.com', register_to_eff=None))>
2021-10-17 15:52:01,294:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-10-17 15:52:01,296:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-10-17 15:52:01,849:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-10-17 15:52:01,850:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 17 Oct 2021 12:52:01 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Saq_7V1S7tI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-10-17 15:52:01,856:DEBUG:certbot.util:Not suggesting name "_"
Traceback (most recent call last):
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/util.py", line 305, in get_filtered_names
    filtered_names.add(enforce_le_validity(name))
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/util.py", line 489, in enforce_le_validity
    raise errors.ConfigurationError(
certbot.errors.ConfigurationError: _ contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.
2021-10-17 15:52:01,859:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1514/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/main.py", line 1282, in run
    domains, certname = _find_domains_or_certname(config, installer)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/main.py", line 463, in _find_domains_or_certname
    domains = display_ops.choose_names(installer, question)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/display/ops.py", line 120, in choose_names
    return _choose_names_manually()
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/display/ops.py", line 187, in _choose_names_manually
    code, input_ = display_util.input_text(
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/display/util.py", line 124, in input_text
    return obj.get_display().input(message, default=default, cli_flag=cli_flag,
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/display/obj.py", line 147, in input
    ans = util.input_with_timeout(message)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/display/util.py", line 61, in input_with_timeout
    sys.stdout.flush()
BrokenPipeError: [Errno 32] Broken pipe
2021-10-17 15:52:01,866:ERROR:certbot._internal.log:An unexpected error occurred:
2021-10-17 15:52:01,866:ERROR:certbot._internal.log:BrokenPipeError: [Errno 32] Broken pipe

Site still gives the same error :frowning:

Your redirect is now fixed indeed.

However, the error showing now looks very different to me at least. Not sure how or why that last error happens..

But in any case, you have issued a brand new certificate just now. You can see it here: crt.sh | universtat.ru

The only problem is: for some reason it isn't picked up by your nginx. Did you reload nginx? If not, please reload nginx and check your website again.

1 Like

Thank you so much, you saved my day!

Can it happen again in the future? I heard a few weeks ago something about incoming problem with sertificates, I'm wondering if this is what I heard of.

If you don't know how that broken redirect came into existence in the first place: sure, if you don't know how or why something happened, you can't be sure it's permanently fixed.

Also remember that in 60 days time when your certificate renews again you need to reload nginx again. Usually, one automates this by adding the reload command to a --deploy-hook. See User Guide — Certbot 1.19.0.dev0 documentation for more info about --deploy-hook. That said, I have no idea if that even works when using Docker and I don't have any experience with that..

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.