SSL Certificate expired, still Certbot unable to renew

Topic says certificate is expired, but certbot says otherwise:

SSL Lab says “Assessment failed: Unable to connect to the server”.

1 Like

Yes, that may be because , port 80 of the server is unused. The two server applications are hosted in 8100 & 8080 port. I have gained the certificate wrt the domain name ap2.eegloo.in and hosted two sprint boot apps in port 8100 and 8080.

when I am trying to access https://api2.eegloo.in:8100 then I am getting the connection is not private error.

openssl s_client -connect api2.eegloo.in:8100 --showcerts
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = api2.eegloo.in
verify error:num=10:certificate has expired
notAfter=Jun 16 17:23:01 2020 GMT
verify return:1
depth=0 CN = api2.eegloo.in
notAfter=Jun 16 17:23:01 2020 GMT
verify return:1
---
1 Like

1 Like

What says?:
certbot certificates

Which cert files are you using?

1 Like

Found the following certs:
Certificate Name: api2.eegloo.in
Domains: api2.eegloo.in
Expiry Date: 2020-08-16 03:27:04+00:00 (VALID: 54 days)
Certificate Path: path
Private Key Path: path


1 Like

a. There is nothing super secretive about those paths.
b. What about the other question?:

1 Like

OK I am new to this.

What says?:
certbot certificates ::

`Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: api2.eegloo.in
Domains: api2.eegloo.in
Expiry Date: 2020-08-16 03:27:04+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/api2.eegloo.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api2.eegloo.in/privkey.pem

                                                                          • `

Which cert files are you using? :: Can you please explain a lil bit. Couldn’t understand.

1 Like

Port 8100 is using a certificate.
Where is that config file that shows which certificate it is using?

1 Like

This is the application.properties file of the spring boot server.

server.port = 8100

security.require-ssl=true
server.ssl.key-store=/etc/letsencrypt/live/api2.eegloo.in/keystore.p12
server.ssl.key-store-password=*************
server.ssl.key-password=**************
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

1 Like

How did you create that file?
[that is not created by certbot - by default]

1 Like

At some point, a command was run that took the contents of these two file:

Certificate Path: /etc/letsencrypt/live/api2.eegloo.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api2.eegloo.in/privkey.pem

and created this file:

server.ssl.key-store=/etc/letsencrypt/live/api2.eegloo.in/keystore.p12

That command needs to be run each time the cert is renewed.
Moreover, you may also need to restart/reload Tomcat each time the p12 file is updated/re-created.

1 Like

Ok Understood. Does that mean the p12 file expire date is not updated last time I created the .pem files. In that case, if I run the command
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root (got this from stackoverflow to use the certificate in tomcat) today, it should update the p12 file as per the .pem files, to 2020-08-16 03:27:04+00:00.

Please let me know if this is not standard process to use certificate in tomcat server integrated in spring boot. I ran this command after stopping the spring boot server, and re ran the server after changing the p12 files.

1 Like

That command looks right, but I don’t know what command you ran before (to compare).
[nor any of the steps that led up to it - even a simple step like changing directory can make a difference]

1 Like

And you need to consider how you can/will automate this process.

1 Like

Yes, I plan to follow the process mentioned in the certbot website using cron jobs. Let me rerun the command to update the p12 file, let me see if it solves the problem.

Something changed, I can no longer reach port 8100:

openssl s_client -connect api2.eegloo.in:8100 --showcerts
140378008113600:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140378008113600:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

That is because I stopped the tomcat server, reran the command mentioned above to generate the p12 files, the restarted the server. And it seems okay right now. Only thing, I cannot understand if there was any issue while generating the p12 file. As much I remember, I created the cert for this server once, generated the p12 files, and ran the servers. I still cannot understand what it could have been gone wrong.

1 Like

Yeah, much better now:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.