One domain with 2 Certs and one is expired?

andyn · January 12, 2023, 9:35pm

Hello, I ran SSL server test on SSL Server Test: mos.meritlogistics.com (Powered by Qualys SSL Labs)) and it's showing the domain has 2 certs and one expired today. Can you please let me know how to troubleshoot this? Thank you in advance for your help!

My domain is: mos.meritlogistics.com

I ran this command:

It produced this output:

My web server is (include version):
IIS behind Haproxy 2.4.10
The operating system my web server runs on is (include version):
Windows SErver 2012
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

rg305 · January 12, 2023, 9:40pm

Hi @andyn, and welcome to the LE community forum

HAproxy can obtain certs for any name it handles.
IIS may also need to use a certificate for the name(s) it handles...
It is a bit difficult (if not impossible) to have both systems request a cert for the same FQDN via HTTP.
That said, HTTP is not the only validation method available.
One could use HTTP authentication and the other may be able to use DNS authentication.

rg305 · January 12, 2023, 9:42pm

OR maybe I'm on the wrong track...
If so, what is the name that is failing?
When did it start failing?
What changes have been made that could affect that in the past 90 days?

Bruce5051 · January 12, 2023, 9:42pm

This is what I am seeing for the certificate being served

$ openssl s_client -showcerts -servername mos.meritlogistics.com -connect mos.meritlogistics.com:443 < /dev/null     CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mos.meritlogistics.com
verify return:1
---
Certificate chain
 0 s:CN = mos.meritlogistics.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 07:02:31 2022 GMT; NotAfter: Mar 13 07:02:30 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgISBBp/A9CgChO6orvaiu0tmI8tMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjEyMTMwNzAyMzFaFw0yMzAzMTMwNzAyMzBaMCExHzAdBgNVBAMT
Fm1vcy5tZXJpdGxvZ2lzdGljcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDYMrXdIYy4hcHWMZMNhc5LNIhEOkjAwmJ76s8oTJbied3QjaW/M20B
ZD+keP739Wcl4g7j5GI1GWVAyGhRhzbBv6AWnmuaQoz26CxOMjxBkV0hMVsG4a4R
8XDwisRQp3nYVNnS1GvCJfMQu/Co4xUuIo89d/zQ+6EHcwYoigCWp31xZ/vQkBna
hWsvSPYcrUnQx1BUdiqIMuh/UJeTi7vMfxQPLHJk6vnakC492/VZllklNDh2wMU5
0YSs842MWu3brIC1nICHQtkDyZTanA+WCruDSlj63vtGHkDjUI+7XqeWmoy9wgl4
3tjFbgR/+b2arvA53SvwnLbn6/tVrsyjAgMBAAGjggJRMIICTTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFNaTosDv2Lcn7BPG2Q8D92B0IBVaMB8GA1UdIwQYMBaAFBQu
sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
ZW5jci5vcmcvMCEGA1UdEQQaMBiCFm1vcy5tZXJpdGxvZ2lzdGljcy5jb20wTAYD
VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHy
APAAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYUKgbaeAAAE
AwBHMEUCIQCr+M3vSUTNk5cD2+YiQ4YexD4JFiQRQ8yfclv6d447cgIgYfZ0Dnye
rqCNRAyJrMULRx++C6Ls1fH29VnEgMprjcMAdgB6MoxU2LcttiDqOOBSHumEFnAy
E4VNO9IrwTpXo1LrUgAAAYUKgba1AAAEAwBHMEUCIQDjPNTdp7CsCB+YA5E62C1h
tNbkcKoxkvTMvU9lCMWg3AIgPvZO4DTPQ4mB7II6z+0Nrh+I+6fcHsUhYtye2rVY
f+kwDQYJKoZIhvcNAQELBQADggEBACm5dDp1mm2KbbgkyEPv5Mvk5i41pOGfBHBt
0xgA3+iI3jh9RVh9Y1PY0c2vCi536EaC2PEwAVvzhTAFfa7cR93lVjdMSkPp2j9N
GmY5pzhXCAfDaXGv/x3xDZ3mymsRQxH/v/3HkYofEYiBPJ/YVOtws0yTn+cG6qY8
dzX55UC1z1/tCAqTD+awVr5G7nXNWQTrlHeE7WaVXzd7tNVwyhMmP5auFCh53xqF
VHdgIOLspp/IuvZpcIPnaMd7BNktHWlACNc9EJ+EbLCAUftNRhcO9U2R0p1IIDp+
QFBXl7dNd1SOv5IR2Gdm1ON6w+SM53oCrjGwHdqY9ZzGDpSGRZY=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mos.meritlogistics.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4716 bytes and written 450 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 76C948B9864E45C9A0378EA60C76D48EF808E86F5854B97B89800BB5D4B780DA
    Session-ID-ctx:
    Master-Key: 5877A550E239F6103510C2522CBFA89250A5F206076BE7B2C772C7A0A8D0B6C85C3E009F3FC704DE73EEC0DECD69A448
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9d 3a 11 44 a6 dd b3 0d-b0 41 cf bd cc e7 e3 7a   .:.D.....A.....z
    0010 - 37 be 32 ce e8 ac cc c9-cb 92 57 9f de 08 6b 7a   7.2.......W...kz
    0020 - 4f 72 15 22 78 f7 b5 b9-c7 d3 d5 21 45 4e e9 12   Or."x......!EN..
    0030 - 78 38 65 a5 d0 25 72 74-e4 ab 33 3a 01 9a ea 48   x8e..%rt..3:...H
    0040 - c3 f5 e9 d4 6f a5 8d 40-7b 15 ea b7 6b 99 e6 bc   ....o..@{...k...
    0050 - 2d 61 5c 4d 6a 03 e9 b8-d4 f4 78 e0 03 5e 17 f7   -a\Mj.....x..^..
    0060 - e9 55 ea cb a0 77 01 3e-2b f1 ce bb 3f 89 c0 e5   .U...w.>+...?...
    0070 - 89 8d 46 36 55 94 0a 83-00 c6 f8 94 63 bf e5 35   ..F6U.......c..5
    0080 - 9e 38 f7 61 69 4f 46 a4-e5 97 7c ae da 15 7e ef   .8.aiOF...|...~.
    0090 - 34 b1 7e 5c a7 bc 20 7c-2d ea 06 21 60 b3 92 cc   4.~\.. |-..!`...
    00a0 - 56 9f 84 0d 51 bb 4f 23-5e 8b 40 df 94 f5 83 e6   V...Q.O#^.@.....
    00b0 - 90 02 8b 4c 5f 15 85 11-16 8f ef bd 0a ae 11 2d   ...L_..........-

    Start Time: 1673559593
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
DONE

andyn · January 12, 2023, 9:43pm

I am terminating SSL at Haproxy. Been working great last few years but some of our users are not able to access the site today due to certificate expired, while others can.

rg305 · January 12, 2023, 9:44pm

Users on the Internet [or on the LAN side]?

andyn · January 12, 2023, 9:44pm

sorry users on the Internet.

rg305 · January 12, 2023, 9:45pm

hmm...
Maybe there are some orphaned workers still using the old cert.
Try rebooting the TLS termination point [HAProxy system].

Bruce5051 · January 12, 2023, 9:49pm

On Windows 10 I got one expired and one nonexpired certificate

Firefox 108.0.2 (64-bit) I got this expired certificate

Chrome Version 109.0.5414.75 (Official Build) (64-bit) I got this nonexpired certificate

Bruce5051 · January 12, 2023, 9:55pm

I guess the best I can say at this point is configure you Web Server to only serve one Certificate (and chain) instead of two; make sure is it the nonexpired Certificate.

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

andyn · January 12, 2023, 10:09pm

The backend servers are not configured with cert. TLS termination is done at Haproxy. I will try to restart haproxy shortly. Thanks for the quick response! Much appreciated!

MikeMcQ · January 12, 2023, 10:17pm

A restart is good idea. You have odd behavior in redirects as well. I doubt you intend it to work like this

curl -IkL http://mos.meritlogistics.com
HTTP/1.1 301 Moved Permanently
location: https://mos.meritlogistics.com/

HTTP/2 301
location: http://mos.meritlogistics.com/app

HTTP/1.1 301 Moved Permanently
location: https://mos.meritlogistics.com/app

HTTP/2 301
location: http://mos.meritlogistics.com/app/

HTTP/1.1 301 Moved Permanently
location: https://mos.meritlogistics.com/app/

HTTP/2 200
content-length: 42122
server: mos.meritlogistics.com

system · February 11, 2023, 10:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.