Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: api2.eegloo.in

I ran this command: sudo certbot renew

It produced this output: Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/api2.eegloo.in/fullchain.pem expires on 2020-08-16 (skipped)
No renewals were attempted.

My web server is (include version): Tomcat 7 integrated in sprint boot

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: GCP

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi, My SSL certificate is not working in my server hosted at port 8100 . This is the error chrome gives.

Your connection is not private

Attackers might be trying to steal your information from api2.eegloo.in (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_DATE_INVALID

Please Help.

Topic says certificate is expired, but certbot says otherwise:

SSL Lab says "Assessment failed: Unable to connect to the server".

Yes, that may be because , port 80 of the server is unused. The two server applications are hosted in 8100 & 8080 port. I have gained the certificate wrt the domain name ap2.eegloo.in and hosted two sprint boot apps in port 8100 and 8080.

when I am trying to access https://api2.eegloo.in:8100 then I am getting the connection is not private error.

openssl s_client -connect api2.eegloo.in:8100 --showcerts
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = api2.eegloo.in
verify error:num=10:certificate has expired
notAfter=Jun 16 17:23:01 2020 GMT
verify return:1
depth=0 CN = api2.eegloo.in
notAfter=Jun 16 17:23:01 2020 GMT
verify return:1
---

What says?:
certbot certificates

Which cert files are you using?

Found the following certs:
Certificate Name: api2.eegloo.in
Domains: api2.eegloo.in
Expiry Date: 2020-08-16 03:27:04+00:00 (VALID: 54 days)
Certificate Path: path
Private Key Path: path

a. There is nothing super secretive about those paths.
b. What about the other question?:

OK I am new to this.

What says?:
certbot certificates ::

`Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: api2.eegloo.in
Domains: api2.eegloo.in
Expiry Date: 2020-08-16 03:27:04+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/api2.eegloo.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api2.eegloo.in/privkey.pem

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • `

Which cert files are you using? :: Can you please explain a lil bit. Couldn’t understand.

Port 8100 is using a certificate.
Where is that config file that shows which certificate it is using?

This is the application.properties file of the spring boot server.

server.port = 8100

security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/api2.eegloo.in/keystore.p12
server.ssl.key-store-password=*************
server.ssl.key-password=**************
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

How did you create that file?
[that is not created by certbot - by default]

At some point, a command was run that took the contents of these two file:

Certificate Path: /etc/letsencrypt/live/api2.eegloo.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api2.eegloo.in/privkey.pem

and created this file:

server.ssl.key-store=/etc/letsencrypt/live/api2.eegloo.in/keystore.p12

That command needs to be run each time the cert is renewed.
Moreover, you may also need to restart/reload Tomcat each time the p12 file is updated/re-created.

Ok Understood. Does that mean the p12 file expire date is not updated last time I created the .pem files. In that case, if I run the command
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root (got this from stackoverflow to use the certificate in tomcat) today, it should update the p12 file as per the .pem files, to 2020-08-16 03:27:04+00:00.

Please let me know if this is not standard process to use certificate in tomcat server integrated in spring boot. I ran this command after stopping the spring boot server, and re ran the server after changing the p12 files.

That command looks right, but I don’t know what command you ran before (to compare).
[nor any of the steps that led up to it - even a simple step like changing directory can make a difference]

And you need to consider how you can/will automate this process.

Yes, I plan to follow the process mentioned in the certbot website using cron jobs. Let me rerun the command to update the p12 file, let me see if it solves the problem.

Something changed, I can no longer reach port 8100:

openssl s_client -connect api2.eegloo.in:8100 --showcerts
140378008113600:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140378008113600:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

That is because I stopped the tomcat server, reran the command mentioned above to generate the p12 files, the restarted the server. And it seems okay right now. Only thing, I cannot understand if there was any issue while generating the p12 file. As much I remember, I created the cert for this server once, generated the p12 files, and ran the servers. I still cannot understand what it could have been gone wrong.

Yeah, much better now:

image417×522 11.2 KB