Renew Results in Expired Cert?

I have manually been renewing my test certs and have not had any issues. However, I stopped my testing for a few months and I am having issues renewing a cert. I manually run certbot certonly --cert-name test.xxxxxxxx.us -d test.xxxxxxxx.us and certbot certificate shows:

Looks good. But when I browse to the webpage, I get SEC_ERROR_EXPIRED_CERTIFICATE! I am using HAProxy to manage the certs.
Again, I have not had a problem all the while I was testing. My procedures work fine. It looks like the old expiration date is not being updated. I rebooted my servers, but that didn't help.

What can I delete about the cert so I can re-run the renew?

Nothing. If Certbot says the certificate is good for another 89 days, it's good. There's no reason to delete a perfectly fine certificate.

You should look for the issue with HAProxy.

4 Likes

Why are you running that command to renew a cert? Surely certbot renew would be a more sensible command.

That's a frankly bizarre conclusion to draw. Certbot reports that it has a cert, where the cert is, and how long it's valid, and your conclusion is that it's lying to you, or that it doesn't know how to read the cert to determine how long it's valid?

The question is why HAProxy isn't using that cert. And, if I had to take a wild guess, it would be that you'd previously manually copied the old cert file somewhere else, and told HAProxy to use that one, rather than the one in /etc/letsencrypt/live/--and since a little bit of Googling suggests that HAProxy wants both the cert and the private key in a single .pem file (which certbot doesn't generate on its own), this scenario is looking entirely plausible, to say the least. So you can get all the new certs you want, but HAProxy won't know anything about them.

7 Likes

I run the following series of commands.

  1. certbot certonly --cert-name xxxxxxxxxxx.us -d xxxxxxxxxxx.us
  2. cat fullchain.pem privkey.pem > /etc/haproxy/certs/www.xxxxxxxxxxx.us.pem
  3. certbot certificates
    Response: - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.xxxxxxxxxxx.us/fullchain.pem

I do this same process for other domains and it works fine (https) for the domains.
It's just one domain that used to work. The certbot certificate returns an invalid expiration date for some reason.

What is the domain name?

Without that there is not much we can say except general advice which has already been given

3 Likes

Please show that picture/output.

3 Likes

So actually the certbot certificates return looks ok:
Found the following matching certs:

Certificate Name: test.streamingworld.us
Domains: test.streamingworld.us
Expiry Date: 2023-03-11 17:36:58+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/test.streamingworld.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.streamingworld.us/privkey.pem

But browsing to test.streamingworld,us is showing:

Websites prove their identity via certificates, which are valid for a set time period. The certificate for test.streamingworld.us expired on 3/26/2022.


Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Note I have not edited/copied/moved any certificate data.

Ideas?

Thanks

BTW, I am using Letsencrypt certs.

2 Likes

That command only renews the cert.
Whatever programs use that cert must be informed about the change.

4 Likes

As three of us have now told you, HAProxy isn't using the current and valid cert you now have (and apparently hasn't been for some time; it's using a cert that expired nine months ago). You'll need to look into its configuration to determine why. My guess would be that when you did cat fullchain.pem privkey.pem > /etc/haproxy/certs/www.xxxxxxxxxxx.us.pem, you did it with the wrong cert files. Or maybe you haven't done it for quite some time, and thought you did--you'll need to do that every time you renew the cert.

5 Likes

I posted the process I use and have used for a few years now, and for multiple different domains. I have not deviated from it and never ran into this problem until now

Please show the fullchain.pem file used in step #2.
[your exact staring path was NOT shown]

3 Likes

-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgISBLa06BiCXK+Jv3OyvzIDu+xiMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjEyMTExNzM2NTlaFw0yMzAzMTExNzM2NThaMCExHzAdBgNVBAMT
FnRlc3Quc3RyZWFtaW5nd29ybGQudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCtFfq93g5usL1lflZpZA6vOSA+q0bQ3QSYEPH0NuCVTvzRYMpQ36im
HZUtK3PCpnjlfVhd7N7TZmeWdBQULk+9/LdPFe87rfLzeSOvreU72MNFQw4u77vo
00fay7zRbU+6jECs5NGSKMZeNFIHWQ5na41mYavIT7vKLN+u7KDeoBQ0D8dm3ljY
2qVmwepyOzqHoAt+aTtZymapMfCLd4k/1bB/t79/JGXyK5pQsFjORMwKb7w0iupO
HUUIGZcnzQrU/YeG7I2Cm2Y7aW9e8DWAToKFvbM1M+xTrqRM7vGVVMgLftPDjz/M
kuuTs0WFfBO5YRK98lwh3GSV0ALduLS7AgMBAAGjggJRMIICTTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFDJbKYwVsfRhsj01poOq3lTSwZvaMB8GA1UdIwQYMBaAFBQu
sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
ZW5jci5vcmcvMCEGA1UdEQQaMBiCFnRlc3Quc3RyZWFtaW5nd29ybGQudXMwTAYD
VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHy
APAAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYUCeeFNAAAE
AwBHMEUCIQCbAjMLXbyqEwIdETsLSDRBgXgwJJ39SYzBmkky8ci2HgIgSWoJbOzV
5J38Od3DvbmTU7lCan2ZgwgNLJJLQODM0z4AdgCt9776fP8QyIudPZwePhhqtGcp
Xc+xDCTKhYY069yCigAAAYUCeeGFAAAEAwBHMEUCIFUDPQlhapUQ9byWy+FOKw2x
I6aPDlUXkZWX2ELcjHzJAiEAmKCPpD1Oba/tMgnDJqlSzuyGDqb+lxOmdETJCPE4
KQ4wDQYJKoZIhvcNAQELBQADggEBABntQ5NDoMURBj3sma/bpSJbIGMjqRTKqdzM
9mpmmEGVCogaMovkKQly4GXLXKYVwqODf5UDmjM9kTBJdOPQ7LNYUtBDRCod6Bkg
1moAO8+I0BYgQ5rmG6AaqmWfzBjeDEi/Bhuf5EIoBr9KmvoORsVizAwBZX07WVjW
qNJWMXxFNr58MmHYYpB8DAsWQS6Mq67BXz3CF0aaH0c0MSW0OKDs2qLU3V5CVanE
7ygqcaj4RHFUTsdXFLdUr8ydK6mSop3AmSIZiQFWHTbdPZxIRvSTCTFvi2gBzt+N
mlvIJMQWpE4fUw8thn5GyUYeGTvzEZ50CV9eu1BuvQj7OWbREeg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Where did that third cert come from?
How is that being inserted into fullchain.pem?

2 Likes

Please show the most amount of details in your posts as possible. E.g., the exact location for contents of files you've provided.

Also, could you perhaps share the haproxy configuration file?

3 Likes

That is not an original fullchain.pem file.
I suspect that there is some hook that modifies it [even before doing those three steps].

3 Likes

I have no idea where the 3rd cert is coming from. I just checked on a domain that works and it too has 3 certs in the pem file?

It looks like a normal fullchain.pem to me (the long chain).

@rayj00 You cat this with your privkey.pem for HAProxy.

Do not show us the privkey!

But, are you sure the target filename used in the cat is the same name used in HAProxy?

Because in your cat example your redacted name is www.xxxx and in other places you have it as test.xxxx. Could there be a simple mis-match of file names?

2 Likes

Except for the extra line between the second and third cert.
:male_detective: :mag:

3 Likes

The test.streamingworld.us has the cert problem.

And the concatenation results from this command:
cat fullchain.pem privkey.pem > /etc/haproxy/certs/test.streamingworld.us.pem

And is that the name used in your HAProxy config?

Can you show us

ls -l /etc/haproxy/certs
3 Likes