R3 cert has expired

joeg1484 · November 1, 2022, 1:52pm

For some reason, I am getting errors from various clients that my R3 cert has expired...

This certificate belongs to:
joeman1.com

This certificate was issued by:
R3
Let's Encrypt
US

This certificate is valid
from Aug 2 20:19:41 2022 GMT
to Oct 31 20:19:40 2022 GMT

But when I go to renew, I get this:

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/joeman1.com/fullchain.pem expires on 2022-12-30 (skipped)
No renewals were attempted.

My domain is: joeman1.com

I ran this command: certbot renew

It produced this output:

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/joeman1.com/fullchain.pem expires on 2022-12-30 (skipped)
No renewals were attempted.

My web server is (include version): Apache, Postfix
Apache - 2.4.37-47
Postfix - 3.5.8-4

The operating system my web server runs on is (include version): Rocky 8.6

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0

Thanks for and advice on how to fix.

Joe

orangepizza · November 1, 2022, 1:56pm

looks like I am firewalled off, but ssllabs result says there would be no proble to connecting it?
https://www.ssllabs.com/ssltest/analyze.html?d=joeman1.com

and keep mind your message said the cert expired is 'issued by' R3, not R3 itself was expired.

maybe you didn't update postfix's cert? try restart the postfix (and kill old processes?)

joeg1484 · November 1, 2022, 2:05pm

Thanks for the reply!

Firewall is open for all ports (80,443,993,587,25,465).

I can get to web and mail from external, just get the cert error from iPhone, and Thunderbird.

Joe

orangepizza · November 1, 2022, 2:14pm

your dovecot sending old certificate, should hook include a commned to update it

joeg1484 · November 1, 2022, 2:24pm

my 10-ssl.conf is pointing to the same cert as my postfix/apache

10-ssl.conf:ssl_cert = </etc/letsencrypt/live/joeman1.com/fullchain.pem
10-ssl.conf:ssl_key = </etc/letsencrypt/live/joeman1.com/privkey.pem

Which is a link to

[root@wolfserver conf.d]# ls -la /etc/letsencrypt/live/joeman1.com/fullchain.pem
lrwxrwxrwx 1 root root 41 Oct  1 18:18 /etc/letsencrypt/live/joeman1.com/fullchain.pem -> ../../archive/joeman1.com/fullchain13.pem
[root@wolfserver conf.d]# ls -la /etc/letsencrypt/live/joeman1.com/privkey.pem
lrwxrwxrwx 1 root root 39 Oct  1 18:18 /etc/letsencrypt/live/joeman1.com/privkey.pem -> ../../archive/joeman1.com/privkey13.pem

Nothing has changed in 4 years - except the expire notice on the R3 cert.

Is there a ca-certificate that I need to update for R3?

Thanks!
Joe

joeg1484 · November 1, 2022, 2:26pm

Ok, this is weird... I just rebooted server and its working... no error with R3 cert now.

Is there some trigger that required a reboot for cert updated that I need to be aware of? I admit im not 100% familiar with SSL certs .

Thanks!
Joe

orangepizza · November 1, 2022, 2:31pm

you rebooting restarted the dovecot, file in config is now new certificate and loaded new one,

joeg1484 · November 1, 2022, 2:34pm

Ahh ok gotcha... So... Do I have to remember to reboot when certs update? I never got a notification that this cert was expiring end of Oct 2022. I would have made provisions to reboot/restart services if this was an issue.

In the past, when I run the certbot update, I usually restart apache/postfix but have never bothered with dovecot - I will remember this in the future, but again, I never got an e-mail about the R3 expire.

Thanks!
Joe

orangepizza · November 1, 2022, 2:42pm

Certbot renew a certificate a month before it actually expires, and it succeeded, so you don't get reminder and only have problem just today. it can't tell what other services are using it other then webserver it used to do the challange. it doesn't know about postfix or dovecot or rsync deploy to other thing etc.

joeg1484 · November 1, 2022, 2:46pm

OK understand... Ill keep a better eye on things then.

Thanks so much for your help!
Joe

bruncsak · November 1, 2022, 2:50pm

For the dovecot service it is enough to execute the systemctl reload dovecot command for the service to start using the new certificate. That must be done at the post renewal hook of certbot. Rebooting the server is an overkill. You may want to avoid the M$ style hammer approche to fix your services.

system · December 1, 2022, 2:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
R3 intermediate certificate has expired, how to renew it with cert-bot renew Help	10	7216	November 2, 2021
Expired R3 connected to DNS challenge? Help	8	825	October 30, 2021
R3 certificate expired Help	10	1155	October 31, 2021
Certbot renew says: Cert not yet due for renewal. Firefox says:cert expired Server	3	2177	August 9, 2018
Why am I not yet due for renewal - yet it's expired? Help	9	1760	March 27, 2021

R3 cert has expired

Related topics