SSL Certificate Expired


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.miniprix.ro
I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
AWS (thru VTEX e-commerce platform)
I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I’m not a tech person at VTEX, but our client Miniprix in Romania has an expired SSL Certified. It should renew automatically so just need to understand what is wrong so we can put their https back online.

Here’s a print:

image


#2

Hi @vinicius.ribeiro

There are four old / expired certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:www.miniprix.ro;issuer_uid:4428624498008853827&lu=cert_search

how did your client create these certificates? The client should do that again.

There are a lot of name server settings:

nslookup www.miniprix.ro.

Name: d1hvn77lw5l7b5.cloudfront.net
Addresses: 52.222.253.104
52.222.253.108
52.222.253.99
52.222.253.189
Aliases: www.miniprix.ro
www.miniprix.ro.cdn.vtex.com

Maybe this is part of the problem that your Letsencrypt client doesn’t have access to these servers.

So Letsencrypt checks an ip without a validation file.


#3

Solution is pretty simple - don’t use Let’s Encrypt.

Cloudfront already gives you free, automatically renewing, 13-month duration certificates for all of your CDN resources, via AWS Certificate Manager, so you should use that.

If you’re not managing the Cloudfront certificate (i.e. vtex.com is), then you need to get in contact with vtex.com and ask them to fix it.


#4

Ah, thanks, good to know.

So this name server entry

is the key -> use cloudfront.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.