Old certificate which does not expired, not working after renew

I run Certbot and NGINX on docker and I got a problem with the certificate after renewal.

My Android app is running with certificate (A) which will expire in 10 days, Certbot auto-renew the certificate and got the new one (B) then I update my App with the new one (submit to store). While my app is waiting for store review, unfortunately, the older version of my App cannot connect to the server with the old certificate(A) which does not expire yet. I cannot revert to the old certificate (A) on the server because the Reviewer will reject my App for the reason cannot connect to the server with certificate (B)

p/s: I try a case to replace the certificate with the very old one (C) which was expired and the result makes me feel very confused, the App can connect to the server with certificate (C). I do not have much experience in this field

What can I do in this case?
Thanks

1 Like

Hello @neonguyen, welcome to the Let's Encrypt community. :slightly_smiling_face:

The Android version is important in assisting.

Here is a reference on [Long (default) and Short (alternate) Certificate Chains Explained ](Long (default) and Short (alternate) Certificate Chains Explained, as Androids has Chain of Trust - Let's Encrypt Root Certificate that is signed by the Expired Cross-signed by DST Root CA X3. So Long Chains are often need with support for Androids.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

3 Likes

Thanks for your helping @Bruce5051,
Here is the information

My domain is: api.noahcommunications.com and chat.noahcommunications.com

I ran this command: from this to init the certificate at the first time: nginx-certbot/init-letsencrypt.sh at master · wmnnd/nginx-certbot · GitHub After that I run the entrypoint on docker-compose to auto-renew the certificate when it prepares to expire

It produced this output: Certbot's folder included: fullchain.pem, cert.pem, chain.pem, privkey.pem

My web server is (include version): Django 4.0

The operating system my web server runs on is (include version): amzn2-ami-hvm-2.0.20210813.1-x86_64-gp2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot version latest (docker)

3 Likes

Hi @neonguyen, and welcome to the LE community forum :slight_smile:

Can you show the exact error message?
Have you checked the time/clock on your client?
[if the time is behind the issued time of the certificate, then it should be considered "not yet valid" (and fail)]

3 Likes

Hi @rg305,

  1. The client (Android app) got the error: Failed to connect to api.noahcommunications.com/ip:443. (ECONNREFUSED)
  2. Yes, we run on the real devices so the time is correct.

I see a cert there that will expire in 4 days (cert "A", not yet cert "B").

Please describe:

3 Likes

Currently, NGINX is pointing to certificate A. The old app can work fine. but it will expire in 4 days, Then my Android App needs to replace certificate B. Google reviewer will reject the app because NGINX is pointing to certificate A. Then I have to change NGINX config to certificate B (in /etc/letsencrypt/live folder) for Google Review. At that time. The old app cannot run with certificate A because NGINX is pointing to certificate B ( B is renewed from A)

This is my problem now. I need to update the App with the certificate B but the old app still needs to run with certificate A until the App is approved by Google Reviewer

I see you are now using the newer cert on your site.

I think you are not using certs the right way. The client app just relies on the CA Trusted Root store provided by the Android system. It should not have its own copy of the "leaf" cert used on your server.

Sometimes it is necessary to add a cert to the CA trusted store but this is unusual. And, is not necessary with Let's Encrypt as it has been included on Android for a long time.

If you are having comms problems to the server a forum for app development might help. If you think it is related to the certs please provide more details.

5 Likes