Renew cert combined

NvBgm · August 26, 2023, 5:46pm

My domain is: nvbgm.nl and nvbgm1.nl

I ran this command: sudo certbot renew

Afther : sudo certbot certificates

Domains: nvbgm.nl nvbgm1.nl www.nvbgm.nl www.nvbgm1.nl
Expiry Date: 2023-11-14 12:47:22+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/nvbgm.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nvbgm.nl/privkey.pem

So all did well (i think)
But when i call url nvbgm.nl there is no new cert.
When i call nvbgm1.nl there is.

Both url's pointing to the same website

9peppe · August 26, 2023, 5:53pm

I see certificates issued on August 16th. (I'd say the same one)

$ echo ""| openssl s_client -connect nvbgm.nl:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = nvbgm.nl
verify return:1
---
Certificate chain
 0 s:CN = nvbgm.nl
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 16 12:47:23 2023 GMT; NotAfter: Nov 14 12:47:22 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgISAx/gm7IkvEB

$ echo ""| openssl s_client -connect nvbgm1.nl:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = nvbgm.nl
verify return:1
---
Certificate chain
 0 s:CN = nvbgm.nl
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 16 12:47:23 2023 GMT; NotAfter: Nov 14 12:47:22 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgISAx/gm7Ik

NvBgm · August 26, 2023, 6:20pm

Oke, But why the differents in both url's ?

On nvbgm.nl

On nvbgm1.nl

Differents in expired date ??

rg305 · August 26, 2023, 6:21pm

The default certbot action is to renew certs when they have less than 1/3 life left.
Certs are issued for 90 days.
So that means at/after 60 days of use | 30 days [or less] left of use.
The cert shown has 79 days left of use.
It should not need to be renewed for another 49 days.
So, today... "sudo certbot renew" will check that cert life and do nothing.
You should be able to see that detail in the log file.
[/var/log/letsencrypt/lesencrypt.log]

rg305 · August 26, 2023, 6:23pm

We would have to review the web server config to know why.

OR

We would have to view it from the same vantage point as you are.

rg305 · August 26, 2023, 6:31pm

From my perspective [from USA over Internet] all these requests return the exact same cert:
openssl s_client -connect 86.92.96.222:443 -servername nvbgm.nl
openssl s_client -connect 86.92.96.222:443 -servername nvbgm1.nl
openssl s_client -connect 86.92.96.222:443 -servername www.nvbgm.nl
openssl s_client -connect 86.92.96.222:443 -servername www.nvbgm1.nl

NvBgm · August 26, 2023, 6:36pm

Yes looks all oke in the log file so i think i wait another 50 days
Thanks

I din't know i hab a servername nvbgm6.nl
I think it must be nvbgm.nl

rg305 · August 26, 2023, 6:49pm

I don't know where that 6 came from - LOL
Let me correct that post.

Osiris · August 26, 2023, 8:18pm

Using RFC 1149?

@NvBgm What webserver are we talking about? Nginx? Apache?

Btw, the entire website is down from my current point of view, 5G connection in The Netherlands.

Bruce5051 · August 26, 2023, 10:14pm

I see all 4 with the same Certificate Serial Number of 31fe09bb224bc406ced1131e58683bd0e0c

And from around the world it looks like everyone can connect to both via HTTPS
nvbgm.nl Permanent link to this check report
nvbgm1.nl Permanent link to this check report

Also I see Port 80 Closed and Port 443 Open

$ nmap -Pn -p80,443 nvbgm.nl
Starting Nmap 7.80 ( https://nmap.org ) at 2023-08-26 15:08 PDT
Nmap scan report for nvbgm.nl (86.92.96.222)
Host is up (0.16s latency).
rDNS record for 86.92.96.222: 86-92-96-222.fixed.kpn.net

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

$ nmap -Pn -p80,443 nvbgm1.nl
Starting Nmap 7.80 ( https://nmap.org ) at 2023-08-26 15:08 PDT
Nmap scan report for nvbgm1.nl (86.92.96.222)
Host is up (0.19s latency).
rDNS record for 86.92.96.222: 86-92-96-222.fixed.kpn.net

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

system · September 25, 2023, 10:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.