Ny Mail Afebt says Certificate expired by cerbot says it is good

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: theoceanwindow.come

I ran this command: Certbot renew

It produced this output:

Processing /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf

Cert not yet due for renewal

Processing /usr/local/etc/letsencrypt/renewal/theoceanwindow.com-0001.conf

Cert not yet due for renewal

Processing /usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf

Cert not yet due for renewal

My web server is (include version) :Apache 24

The operating system my web server runs on is (include version):FreeBSD 12.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.3.0

1 Like
2

Hi @captcurrent

checking your domain via https://check-your-website.server-daten.de/?q=theoceanwindow.com - your certificate is good.

CN=theoceanwindow.com
	24.05.2020
	22.08.2020
expires in 75 days	kasdivi.com, theoceanwindow.com, 
wamalali.com, wandjbrewers.com - 4 entries

But it doesn't have the www version, so your www version is insecure. And the www version sends a certificate that's expired today:

CN=theoceanwindow.com
	10.03.2020
	08.06.2020
0 days expired	kasdivi.com, theoceanwindow.com, 
wamalali.com, wandjbrewers.com - 4 entries

So create one certificate with all used domain names - non-www and www. May be the same with your other domain names, so you use one certificate with 8 domain names.

And you have some mixed content. Images via http instead of https. See the #Html-Content - part.

Sample:

http://banners.wunderground.com/weathersticker/sunandmoon/language/www/global/stations/78990.gif

Change these to https.

1 Like
3

the problem I had was wit a mail client …so I guess iahve to de mail.theoceanwindow.ocm also??

Also How do I make changes , delete the current certificates??

1 Like
4

Ok I used Certbot t delete all certs … now starting again

5

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: theoceanwindow.com

I ran this command: certbot --certficates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Found the following certs:
Certificate Name: kasdivi.com
Domains: kasdivi.com
Expiry Date: 2020-09-08 12:07:12+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
Certificate Name: theoceanwindow.com-0001
Domains: theoceanwindow.com
Expiry Date: 2020-09-08 12:08:24+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/privkey.pem

The following renewal configurations were invalid:
/usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf

My web server is (include version):Apache24

The operating system my web server runs on is (include version):Freebsd 12.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.3.0

I have messed up tai whole Certbot thing. How doe remove and Strat over

6

Did you edit that file? Could you show us its contents?

7

As I try to state. I think I have messed up the whole thing and want to "zero it out"

I now have three files under renewal

kasdivi.com.conf
theoceanwindow.com-0001.conf
theoceanwindow.com.conf

the first reads

renew_before_expiry = 30 days

version = 1.3.0

archive_dir = /usr/local/etc/letsencrypt/archive/kasdivi.com

cert = /usr/local/etc/letsencrypt/live/kasdivi.com/cert.pem

privkey = /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem

chain = /usr/local/etc/letsencrypt/live/kasdivi.com/chain.pem

fullchain = /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem

Options used in the renewal process

[renewalparams]

account = ab7601b5c6dd6709ddad453d581fb3d1

authenticator = webroot

server = https://acme-v02.api.letsencrypt.org/directory

I am trying to cover a number of virtual; hosts on one physical server

8

You could delete all of the contents of /etc/letsencrypt but this is probably a very bad idea:

  • It will make your web server configuration invalid if it refers to any of the certificates

  • It risks hitting Let's Encrypt issuance rate limits

According to the error message you mentioned before, this file seems to have some kind of problem, and if we could see its contents, we could probably tell you something that would improve the situation without having to start over!

9

oceanwindow.com.conf. is completely empty

the renewal directory has the following files>

-rw-r--r-- 1 root wheel 588 Jun 11 13:26 kasdivi.com-0001.conf
-rw-r--r-- 1 root wheel 545 Jun 10 11:55 kasdivi.com.conf
-rw-r--r-- 1 root wheel 623 Jun 11 13:27 theoceanwindow.com-0001.conf
-rw-r--r-- 1 root wheel 0 Jun 9 10:17 theoceanwindow.com.conf
-rw-r--r-- 1 root wheel 583 Jun 11 12:56 www.kasdivi.com.conf
-rw-r--r-- 1 root wheel 618 Jun 11 12:57 www.theoceanwindow.com.conf

theoceanwindow.com-0001.conf reads

renew_before_expiry = 30 days

version = 1.3.0

archive_dir = /usr/local/etc/letsencrypt/archive/theoceanwindow.com-0001

cert = /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/cert.pem

privkey = /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/privkey.pem

chain = /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/chain.pem

fullchain = /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/fullchain.pem

Options used in the renewal process

[renewalparams]

account = ab7601b5c6dd6709ddad453d581fb3d1

authenticator = apache

installer = apache

server = https://acme-v02.api.letsencrypt.org/directory

Checking certificates gets me the following response

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Found the following certs:
Certificate Name: kasdivi.com-0001
Domains: kasdivi.com
Expiry Date: 2020-09-09 16:22:48+00:00 (VALID: 88 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0001/privkey.pem
Certificate Name: kasdivi.com
Domains: theoceanwindow.com kasdivi.com wandjbrewers.com www.kasdivi.com www.theoceanwindow.com www.wandjbrewers.com
Expiry Date: 2020-09-08 14:51:24+00:00 (VALID: 86 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
Certificate Name: theoceanwindow.com-0001
Domains: theoceanwindow.com
Expiry Date: 2020-09-09 16:23:29+00:00 (VALID: 88 days)
Certificate Path: /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/theoceanwindow.com-0001/privkey.pem
Certificate Name: www.kasdivi.com
Domains: www.kasdivi.com
Expiry Date: 2020-09-09 15:53:06+00:00 (VALID: 88 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.kasdivi.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.kasdivi.com/privkey.pem
Certificate Name: www.theoceanwindow.com
Domains: www.theoceanwindow.com
Expiry Date: 2020-09-09 15:54:00+00:00 (VALID: 88 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.theoceanwindow.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.theoceanwindow.com/privkey.pem

The following renewal configurations were invalid:
/usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf

I think I have things cross connected

10

OK, one thing you could do is

sudo cp /etc/letsencrypt/renewal/theoceanwindow.com-0001.conf /etc/letsencrypt/renewal/theoceanwindow.com.conf
sudo sed -i "s/-0001//g" /etc/letsencrypt/renewal/theoceanwindow.com.conf

This would give you a new copy of theoceanwindow.com.conf based on theoceanwindow.com-0001.conf, with the -0001s removed. This new copy might plausibly be correct for your existing certificate, and allow certbot renew to renew it properly.

11

does not work. I get a "sed: 1: "/usr/local/etc/letsencr ...": extra characters at the end of l command"

12

does not work. I get a "sed: 1: "/usr/local/etc/letsencr ...": extra characters at the end of l command"

Did you retype that command instead of copying and pasting it? Is it
possible that you substituted one character for another somehow?

13

I copied and pasted.

sudo sed -i “s/-0001//g” /usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf

and got the references error code

14

I apologize, I think FreeBSD sed doesn’t support the same options as GNU sed on Linux. I am too used to Linux and will sometimes suggest Linux solutions without thinking. :slightly_frowning_face:

sudo sed "s/-0001//g" /etc/letsencrypt/renewal/theoceanwindow.com.conf > /tmp/theoceanwindow.com.conf
sudo cp /tmp/theoceanwindow.com.conf /etc/letsencrypt/renewal/theoceanwindow.com.conf

(The sudo doesn’t apply to the > redirection, but it doesn’t need to in this case.)

15

Thanks Fixed that

I have the files in renewal.

-> rw-r--r-- 1 root wheel 588 Jun 11 13:26 kasdivi.com-0001.conf

-rw-r--r-- 1 root wheel 545 Jun 10 11:55 kasdivi.com.conf
-rw-r--r-- 1 root wheel 623 Jun 11 13:27 theoceanwindow.com-0001.conf
-rw-r--r-- 1 root wheel 598 Jun 15 12:59 theoceanwindow.com.conf
-rw-r--r-- 1 root wheel 583 Jun 11 12:56 www.kasdivi.com.conf
-rw-r--r-- 1 root wheel 618 Jun 11 12:57 www.theoceanwindow.com.conf

I guess that is right .. ssl works for webpage and for IMAP so I am happy... thanks for your help

16

You ran something like certbot renew after making this change, right?

Glad to hear it!

17

Ahhhno I didn'y. in fact when I do get the following error while the rest say they don't requite renewal

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/local/lib/python3.7/site-packages/certbot/_internal/storage.py", line 466, in init
self._check_symlinks()
File "/usr/local/lib/python3.7/site-packages/certbot/_internal/storage.py", line 533, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /usr/local/etc/letsencrypt/live/theoceanwindow.com/cert.pem to be a symlink
Renewal configuration file /usr/local/etc/letsencrypt/renewal/theoceanwindow.com.conf is broken. Skipping.

What does the

-rw-r–r-- 1 root wheel 588 Jun 11 13:26 kasdivi.com-0001.conf
-rw-r–r-- 1 root wheel 623 Jun 11 13:27 theoceanwindow.com-0001.conf

come from..??

18

These get created if you run Certbot with a -d list of domains that partially overlaps with, but is not a strict superset of, a certificate that you already have.

Could you show the output of this command?

sudo ls -lR /etc/letsencrypt/{live,archive}

19

ahhh.

I have been working may with through with a number of virtual hosts

/usr/local/etc/letsencrypt/archive:
total 40
drwxr-xr-x 2 root wheel 512 Jun 10 11:55 kasdivi.com
drwxr-xr-x 2 root wheel 512 Jun 11 13:26 kasdivi.com-0001
drwxr-xr-x 2 root wheel 512 Jun 11 13:27 theoceanwindow.com-0001
drwxr-xr-x 2 root wheel 512 Jun 11 12:56 www.kasdivi.com
drwxr-xr-x 2 root wheel 512 Jun 11 12:57 www.theoceanwindow.com

/usr/local/etc/letsencrypt/archive/kasdivi.com:
total 64
-rw-r--r-- 1 root wheel 1903 Jun 10 09:10 cert1.pem
-rw-r--r-- 1 root wheel 2045 Jun 10 11:55 cert2.pem
-rw-r--r-- 1 root wheel 1647 Jun 10 09:10 chain1.pem
-rw-r--r-- 1 root wheel 1647 Jun 10 11:55 chain2.pem
-rw-r--r-- 1 root wheel 3550 Jun 10 09:10 fullchain1.pem
-rw-r--r-- 1 root wheel 3692 Jun 10 11:55 fullchain2.pem
-rw------- 1 root wheel 1704 Jun 10 09:10 privkey1.pem
-rw------- 1 root wheel 1704 Jun 10 11:55 privkey2.pem

/usr/local/etc/letsencrypt/archive/kasdivi.com-0001:
total 32
-rw-r--r-- 1 root wheel 1899 Jun 11 13:26 cert1.pem
-rw-r--r-- 1 root wheel 1647 Jun 11 13:26 chain1.pem
-rw-r--r-- 1 root wheel 3546 Jun 11 13:26 fullchain1.pem
-rw------- 1 root wheel 1708 Jun 11 13:26 privkey1.pem

/usr/local/etc/letsencrypt/archive/theoceanwindow.com-0001:
total 64
-rw-r--r-- 1 root wheel 1923 Jun 10 09:11 cert1.pem
-rw-r--r-- 1 root wheel 1915 Jun 11 13:27 cert2.pem
-rw-r--r-- 1 root wheel 1647 Jun 10 09:11 chain1.pem
-rw-r--r-- 1 root wheel 1647 Jun 11 13:27 chain2.pem
-rw-r--r-- 1 root wheel 3570 Jun 10 09:11 fullchain1.pem
-rw-r--r-- 1 root wheel 3562 Jun 11 13:27 fullchain2.pem
-rw------- 1 root wheel 1708 Jun 10 09:11 privkey1.pem
-rw------- 1 root wheel 1704 Jun 11 13:27 privkey2.pem

/usr/local/etc/letsencrypt/archive/www.kasdivi.com:
total 32
-rw-r--r-- 1 root wheel 1911 Jun 11 12:56 cert1.pem
-rw-r--r-- 1 root wheel 1647 Jun 11 12:56 chain1.pem
-rw-r--r-- 1 root wheel 3558 Jun 11 12:56 fullchain1.pem
-rw------- 1 root wheel 1704 Jun 11 12:56 privkey1.pem

/usr/local/etc/letsencrypt/archive/www.theoceanwindow.com:
total 32
-rw-r--r-- 1 root wheel 1931 Jun 11 12:57 cert1.pem
-rw-r--r-- 1 root wheel 1647 Jun 11 12:57 chain1.pem
-rw-r--r-- 1 root wheel 3578 Jun 11 12:57 fullchain1.pem
-rw------- 1 root wheel 1704 Jun 11 12:57 privkey1.pem

/usr/local/etc/letsencrypt/live:
total 48
-rw-r--r-- 1 root wheel 743 Jun 10 09:49 README
drwxr-xr-x 2 root wheel 512 Jun 10 11:55 kasdivi.com
drwxr-xr-x 2 root wheel 512 Jun 11 13:26 kasdivi.com-0001
drwxr-xr-x 2 root wheel 512 Jun 11 13:27 theoceanwindow.com-0001
drwxr-xr-x 2 root wheel 512 Jun 11 12:56 www.kasdivi.com
drwxr-xr-x 2 root wheel 512 Jun 11 12:57 www.theoceanwindow.com

/usr/local/etc/letsencrypt/live/kasdivi.com:
total 8
-rw-r--r-- 1 root wheel 692 Jun 10 09:10 README
lrwxr-xr-x 1 root wheel 35 Jun 10 11:55 cert.pem -> ../../archive/kasdivi.com/cert2.pem
lrwxr-xr-x 1 root wheel 36 Jun 10 11:55 chain.pem -> ../../archive/kasdivi.com/chain2.pem
lrwxr-xr-x 1 root wheel 40 Jun 10 11:55 fullchain.pem -> ../../archive/kasdivi.com/fullchain2.pem
lrwxr-xr-x 1 root wheel 38 Jun 10 11:55 privkey.pem -> ../../archive/kasdivi.com/privkey2.pem

/usr/local/etc/letsencrypt/live/kasdivi.com-0001:
total 8
-rw-r--r-- 1 root wheel 692 Jun 11 13:26 README
lrwxr-xr-x 1 root wheel 40 Jun 11 13:26 cert.pem -> ../../archive/kasdivi.com-0001/cert1.pem
lrwxr-xr-x 1 root wheel 41 Jun 11 13:26 chain.pem -> ../../archive/kasdivi.com-0001/chain1.pem
lrwxr-xr-x 1 root wheel 45 Jun 11 13:26 fullchain.pem -> ../../archive/kasdivi.com-0001/fullchain1.pem
lrwxr-xr-x 1 root wheel 43 Jun 11 13:26 privkey.pem -> ../../archive/kasdivi.com-0001/privkey1.pem

/usr/local/etc/letsencrypt/live/theoceanwindow.com-0001:
total 8
-rw-r--r-- 1 root wheel 692 Jun 10 09:11 README
lrwxr-xr-x 1 root wheel 47 Jun 11 13:27 cert.pem -> ../../archive/theoceanwindow.com-0001/cert2.pem
lrwxr-xr-x 1 root wheel 48 Jun 11 13:27 chain.pem -> ../../archive/theoceanwindow.com-0001/chain2.pem
lrwxr-xr-x 1 root wheel 52 Jun 11 13:27 fullchain.pem -> ../../archive/theoceanwindow.com-0001/fullchain2.pem
lrwxr-xr-x 1 root wheel 50 Jun 11 13:27 privkey.pem -> ../../archive/theoceanwindow.com-0001/privkey2.pem

/usr/local/etc/letsencrypt/live/www.kasdivi.com:
total 8
-rw-r--r-- 1 root wheel 692 Jun 11 12:56 README
lrwxr-xr-x 1 root wheel 39 Jun 11 12:56 cert.pem -> ../../archive/www.kasdivi.com/cert1.pem
lrwxr-xr-x 1 root wheel 40 Jun 11 12:56 chain.pem -> ../../archive/www.kasdivi.com/chain1.pem
lrwxr-xr-x 1 root wheel 44 Jun 11 12:56 fullchain.pem -> ../../archive/www.kasdivi.com/fullchain1.pem
lrwxr-xr-x 1 root wheel 42 Jun 11 12:56 privkey.pem -> ../../archive/www.kasdivi.com/privkey1.pem

/usr/local/etc/letsencrypt/live/www.theoceanwindow.com:
total 8
-rw-r--r-- 1 root wheel 692 Jun 11 12:57 README
lrwxr-xr-x 1 root wheel 46 Jun 11 12:57 cert.pem -> ../../archive/www.theoceanwindow.com/cert1.pem
lrwxr-xr-x 1 root wheel 47 Jun 11 12:57 chain.pem -> ../../archive/www.theoceanwindow.com/chain1.pem
lrwxr-xr-x 1 root wheel 51 Jun 11 12:57 fullchain.pem -> ../../archive/www.theoceanwindow.com/fullchain1.pem
lrwxr-xr-x 1 root wheel 49 Jun 11 12:57 privkey.pem -> ../../archive/www.theoceanwindow.com/privkey1.pem

Appreciate the time you are taking with me

20

Huh, so there’s no /usr/local/etc/letsencrypt/live/theoceanwindow.com at all? Did you rename this in the filesystem at some point?