Peer’s Certificate has expired


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://ytc1-cloud.dyndns.org

I ran this command: https://ytc1-cloud.dyndns.org:643/netxcloud

It produced this output:
ytc1-cloud.dyndns.org:643 uses an invalid security certificate. The certificate expired on 10 February 2019, 19:37:26 GMT. The current time is 16 February 2019, 12:41.

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Solaris 11.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I use acme.sh
I have run a forced update
But Mozzilla insists it is an issue and will not over ride, Safari allowed me to bypass.


#2

you had issued a cert today: https://crt.sh/?id=1208113562 but it still uses old cert. did you reload the apache after installed the new cert?


#3

You also need change it to serve the fullchain.pem file (instead of the cert.pem file).
The intermediate chain cert is missing from the connection. :frowning:


#4

I rebooted the server, so yes


#5

Ok, I will need some guiding here, apache is not really my bag and I can’t see where the cert.pem is being pointed at ?

In fact I can’t see it i /etc/apache2/2.4 or /var/www, or /etc/certs


#6

Hi @YTC1

there are two different certificates:

Your port 443 ( https://check-your-website.server-daten.de/?q=ytc1-cloud.dyndns.org ):

CN=ytc1.dyndns.org, O=YTC Systems Limited, S=Merseyside, C=UK
	16.10.2018
	16.10.2019
expires in 242 days	

has a self signed certificate.

But your port 643 ( https://check-your-website.server-daten.de/?q=ytc1-cloud.dyndns.org%3A643 ):

CN=ytc1-cloud.dyndns.org
	12.11.2018
	10.02.2019
6 days expired	ytc1-cloud.dyndns.org - 1 entry

has a Letsencrypt certificate. And redirects

Domainname Http-Status redirect Sec. G
http://ytc1-cloud.dyndns.org:643/
82.44.27.24 400 0.110 M
Bad Request
https://ytc1-cloud.dyndns.org:643/
82.44.27.24 302 https://ytc1-cloud.dyndns.org/nextcloud/ 1.780 N
Certificate error: RemoteCertificateChainErrors
https://ytc1-cloud.dyndns.org/nextcloud/ 404 1.530 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://ytc1-cloud.dyndns.org:643/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.44.27.24 400 0.110 M
Bad Request

to your port 443. So why is port 643 required?

And there are different server headers:

Server: Apache/2.4.34 (Unix) PHP/5.6.38 OpenSSL/1.0.2p

Server: Apache


#7

Port 443 is my SGD (Secure Global Desktop) connection, ytc1.dyndns.org . This is self signed as I still have issues getting it to work with Lets Encrypt.

Port 643 is my Next Cloud server. ytc1-cloud.dyndns.org

What have I not configured ? It was working until this week


#8

Aha !
FIxed it.

acme.sh is writing to /etc/apache2/2.4/ytc1-cloud.dyndns.org

But Apache is checking for the cert in
/var/www/cert/ytc1-cloud.dyndns.org

I just had to copy the cert over and it worked again :slightly_smiling_face:

When I come back in 3 months with the same error, kick me for not sorting out my acme script :slight_smile:


#9

Maybe you can directly update the location where it looks for them…
Or use symlinks in that location to their updated location.

where:
/var/www/cert/ytc1-cloud.dyndns.org
points to
/etc/apache2/2.4/ytc1-cloud.dyndns.org
[which may also be pointing to somewhere else]


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.