Problem with expired cert

Help
1

My domain is:inwtx.net

I ran this command:./certbot-auto

It produced this output:said everything ok

My web server is (include version):Nginx version: nginx/1.6.2

The operating system my web server runs on is (include version):Linux 9.0

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site no:Putty

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.37.2

I am getting an error saying that 1 of 3 certs is expired. Some are not able to get to my server (mail, I think). Here is a rundown, Thanks:

openssl x509 -in /etc/letsencrypt/live/inwtx.net-0001/fullchain.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:a0:45:cc:4c:20:9c:4a:58:bd:c2:ad:34:6a:c3:5c:f4:c9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Aug 23 15:13:24 2019 GMT
Not After : Nov 21 15:13:24 2019 GMT

Checked here with error (see <=====):

https://www.checktls.com/TestReceiver

seconds test stage and result
[000.082] Connected to server
[000.238] <-- 220 mail.inwtx.net ESMTP Postfix (Debian/GNU)
[000.239] We are allowed to connect
[000.239] --> EHLO www6.CheckTLS.com
[000.319] <-- 250-mail.inwtx.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.320] We can use this server
[000.320] TLS is an option on this server
[000.320] --> STARTTLS
[000.401] <-- 220 2.0.0 Ready to start TLS
[000.401] STARTTLS command works on this server
[000.580] Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
EXPIRED: Certificate 1 of 3 in chain: Cert VALIDATION ERROR(S): certificate has expired
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.inwtx.net = inwtx.net | DNS:inwtx.net | DNS:mail.inwtx.net | DNS:www.inwtx.net)

Not Valid Before: Apr 22 12:59:50 2019 GMT <===============
Not Valid After: Jul 21 12:59:50 2019 GMT <===============

	subject= /CN=inwtx.net
	issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
	Certificate 2 of 3 in chain: Cert VALIDATED: ok

Not Valid Before: Mar 17 16:40:46 2016 GMT
Not Valid After: Mar 17 16:40:46 2021 GMT

	subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
	issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
	Certificate 3 of 3 in chain: Cert VALIDATED: ok

Not Valid Before: Sep 30 21:12:19 2000 GMT
Not Valid After: Sep 30 14:01:15 2021 GMT

	subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
	issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
2

Hi @ranch

checking your domain there are older certificates ( https://check-your-website.server-daten.de/?q=inwtx.net#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-08-23 2019-11-21 inwtx.net
1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-07-21 2019-10-19 inwtx.net, www.inwtx.net
2 entries
Let's Encrypt Authority X3 2019-05-20 2019-08-18 www.inwtx.net
1 entries
Let's Encrypt Authority X3 2019-04-22 2019-07-21 inwtx.net, mail.inwtx.net, www.inwtx.net
3 entries

But the certificate with three domain names isn't renewed.

Looks like your mailserver uses the wrong - expired - certificate.

Checking your subdomain nothing is visible - https://check-your-website.server-daten.de/?q=mail.inwtx.net - no https subdomain, no mail port. And only the same - expired - certificate via CT-log.

Looks like you had a correct certificate. Then the renew didn't work. Now it's expired.

What says

./certbot-auto certificates
3

Thanks for replying, I don’t know too much about certs. Here is what I think you are requesting:

root@inwtx~# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Invalid OCSP response status for /etc/letsencrypt/live/inwtx.net/cert.pem: OCSPResponseStatus.UNAUTHORIZED

Found the following certs:
Certificate Name: inwtx.net-0001
Domains: inwtx.net
Expiry Date: 2019-11-21 15:13:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/inwtx.net-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/inwtx.net-0001/privkey.pem
Certificate Name: inwtx.net
Domains: inwtx.net mail.inwtx.net www.inwtx.net
Expiry Date: 2019-07-21 12:59:50+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/inwtx.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/inwtx.net/privkey.pem
Certificate Name: www.inwtx.net
Domains: inwtx.net www.inwtx.net
Expiry Date: 2019-10-19 12:45:00+00:00 (VALID: 56 days)
Certificate Path: /etc/letsencrypt/live/www.inwtx.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.inwtx.net/privkey.pem

4

There you see the problem. There is no active certificate with three domain names.

So create a new certificate with the three domains inwtx.net mail.inwtx.net www.inwtx.net.

Then change your mail server, so this certificate is used.

5

Thanks, I’ll do that. I guess I really only needed one cert for inwtx.net, since the www and mail are pointing to inwtx.net in the sites DNS record.

6

If the domain name mail.inwtx.net is used, you need a certificate with that domain name. Same with your www version. The ip address isn't relevant.

7

Thanks. I renewed and got a strange message concerning the mail.inwtx.net renew, but upon testing it with a program that was choking on the expired cert found that it is getting through now.

Thanks again for your help.

8

Now you have a new certificate

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-08-23 2019-11-21 inwtx.net, mail.inwtx.net, www.inwtx.net - 3 entries duplicate nr. 1

But your port 443 and your mail ports are invisible, so it’s impossible to check if you use that certificate.