OpenSSL reports certificate has expired while certbot show certificate valid

minamoto · May 18, 2018, 12:55am

Hello.

My domain is: vimaorthodoxias.gr

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’ve been using Let’s Encrypt a couple of years now and never had this problem before.
The website above is under Cloudflare with Full(strict) mode for SSL certificate.

Last night Cloudflare thrown a SSL 526 error so we switched to Full mode.

I checked the server using:
certbot certificates

and had:
Found the following certs:
Certificate Name: vimaorthodoxias.gr
Domains: vimaorthodoxias.gr www.vimaorthodoxias.gr
Expiry Date: 2018-07-17 09:29:32+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/vimaorthodoxias.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vimaorthodoxias.gr/privkey.pem

which seems like a valid, NOT expired certificate until July 17.

Checking via openssl command:
openssl s_client -connect here.is.my.server_ip -servername vimaorthodoxias.gr -tls1

which produced the below:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = vimaorthodoxias.gr
verify error:num=10:certificate has expired
notAfter=May 17 22:41:43 2018 GMT
verify return:1
depth=0 CN = vimaorthodoxias.gr
notAfter=May 17 22:41:43 2018 GMT
verify return:1
The above seems that the certificate has expired

so I tried to renew running:
certbot renew
this responded that: Cert not yet due for renewal

and I forced the update: certbot renew --force-renew.

Although certbot reports that the cerificate is valid for the next 90 days,
running:
openssl s_client -connect here.is.my.server_ip -servername vimaorthodoxias.gr -tls1
still responds with the same message as above. Verify return code: 10 (certificate has expired)

Please advise.

Kind regards

rg305 · May 18, 2018, 1:05am

Please show the renewal conf file:
/etc/letsencrypt/renewal/vimaorthodoxias.gr.conf (or something like that)
certbot certificates

Also maybe:

needs to be:
here.is.my.server_ip:443

schoen · May 18, 2018, 1:10am

Hi @minamoto,

Are you running this openssl command directly on your own server? When I run it from elsewhere, I see the CloudFlare service with the valid multi-domain Comodo certificate (not your service with the expired certificate).

Perhaps your Let’s Encrypt certificate has been renewed on your server but without restarting or reloading the web server that’s using it? What web server are you using, and what certificate file is it pointed at?

Answering @rg305’s question about renewal configuration files would reveal whether Certbot is going to attempt to reload your web server for you after a certificate renewal or not.

minamoto · May 18, 2018, 1:14am

Hi @rg305, @schoen

Thanks for your responses.

cat /etc/letsencrypt/renewal/vimaorthodoxias.gr.conf

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/vimaorthodoxias.gr
cert = /etc/letsencrypt/live/vimaorthodoxias.gr/cert.pem
privkey = /etc/letsencrypt/live/vimaorthodoxias.gr/privkey.pem
chain = /etc/letsencrypt/live/vimaorthodoxias.gr/chain.pem
fullchain = /etc/letsencrypt/live/vimaorthodoxias.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 63baac12b6d5b1040720f0b41cde412b
[[webroot_map]]
vimaorthodoxias.gr = /home/vimaorth/public
www.vimaorthodoxias.gr = /home/vimaorth/public

Sorry it was here.is.my.server_ip:443 just missed that when changed the IP.

Yes directly from my server.
It is showing that now because of 526 error.
We didn't want the website down so we switched to shared signed certificate provided by Cloudflare.

Kind Regards

schoen · May 18, 2018, 1:16am

This means that you probably got the certificate using certbot --webroot or certbot certonly --webroot. In this method, you would have had to manually edit your web server configuration to point it at the certificate (hopefully the auto-updated version in /etc/letsencrypt/live and not the non-auto-updated version in /etc/letsencrypt/archive). With this configuration, certbot doesn't know what your web server is and won't automatically reload it after a renewal. You would typically have to reload the web server after renewals in order for it to become aware of new certificates; otherwise, the web server would continue to serve the expired certificate.

There are various ways to automate the reloading if you'd like.

schoen · May 18, 2018, 1:17am

@rg305, the original post above already includes that output, and it looks OK!

rg305 · May 18, 2018, 1:20am

Agreed, the server probably never reloaded/restarted.

minamoto · May 18, 2018, 1:23am

Yes when installed I used the manual method.
The nginx conf for that website points to three locations of the keys:

ssl_certificate /etc/letsencrypt/live/vimaorthodoxias.gr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vimaorthodoxias.gr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/vimaorthodoxias.gr/fullchain.pem;

So you mean I should run service nginx reload or reboot the whole server?

I never had an issue before.

Kind regards

schoen · May 18, 2018, 1:27am

service nginx reload is sufficient. Maybe on other occasions you happened to have a reload happen before the certificate expiry for other reasons, for example because of software updates that perform this action as a side effect?

minamoto · May 18, 2018, 1:31am

Sure I do updates every 1st and 15th for all my servers.
Maybe thats why I have noticed that.
After service nginx reload openSSL reports a valid certificate and Cloudflare seems to work with my certificate.

May I ask how to automate reload process?

schoen · May 18, 2018, 1:39am

Great, I'm glad it worked!

Sure, you can add the option

--post-hook "service nginx reload"

to your certonly command for some future manual renewal. This option should then be saved and be used automatically for automated renewals via certbot renew (which hopefully is already being run from crontab on your system).

Or, you can simply edit the /etc/letsencrypt/renewal/vimaorthodoxias.gr.conf file yourself. In the [renewalparams] section, you can add a line that says

post_hook = service nginx reload

In that case, this section would look something like this:

# Options used in the renewal process
[renewalparams]
post_hook = service nginx reload
authenticator = webroot
installer = None
account = 63baac12b6d5b1040720f0b41cde412b

minamoto · May 18, 2018, 1:41am

Wow thats awesome, I was thinking about cron jobs etc, but that's dead simple!

Thank you very much both for your time and help.

Kind Regards

schoen · May 18, 2018, 1:44am

Sure thing, and good idea to ask for the vimaorthodoxias.gr.conf file contents, @rg305!

system · June 17, 2018, 1:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.