Ssl certificate expired

Hi!
I have here a webserver ubuntu 18.04 with nginx with a ssl certificate which seem expired.
Therefore I want to ask how I can check this on the webserver and how I can activate again the ssl certificate.
kindly regards for any answer.

Hi @haiflosse

please answer the following questions. Use the informations about your previous certificate.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi!
Sorry for my late answer.
I will try my best to present the information:
domain ip is: 159.69.42.125 (please do not public the domain)
In the meantime someony have activate the certificate again but I want to know how I can do this by my self for the next time.

Till now I didn’t try any command.
my web server is: Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-51-generic x86_64)
hosting provider: hetzner.de
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no
I don’t know a version of my client.

Hope you can help me again.
kindly regards.

It seems you should probably ask this person about what method was used, because there are many different software applications that can be used, and you'll probably want to use the same one that the previous administrator used (or find out how to automate it). There is no single way to obtain or renew Let's Encrypt certificates.

Since your webserver is nginx and the problem was that the active certificate was not used by your webserver, you have first to learn about nginx configuration files to be able to understand what went wrong and why the certificate that was renewed normally with Letsencrypt a month ago was not used by nginx. If the person 'fixing' the problem has just copied the files at the right place by hand, it means that it's only a band aid and the real problem is not fixed; since the new certificate should be automatically used by your web server
Be warned, that's often a not really easy problem to understand. First make sure with this mysterious person that the real problem is fixed for good. If you are not confident about the answer, hiring a specialist may be more efficient than trying to understand nginx details yourself.

It's impossible to check your configuration and find some answers if you hide your domain name.

Thanks for the answers but I don’t understand it.
I checked the last used command on the server.
It was:
sudo apt-get dist-upgrade.

After that it seemed that the ssl certificate was working again.

I have wrote the ip adress of the domain. I think it is the same like the domain name?

As schoen mentioned maybe I have later again the same problem. What to you suggest I can do or can read to understand it correctly. Maybe it is possible that the ssl certificate will update automaticle.

kindly regards again for any further help.

That's a global command, like "Searching new Windows updates". That has nothing to do with creating a new certificate.

One ip address can have millions of domain names. Checking this ip ( https://check-your-website.server-daten.de/?q=159.69.42.125 ) there is a certificate:

CN=bgweiz.at
	07.05.2019
	05.08.2019
expires in 58 days	
bgweiz.at, www.bgweiz.at - 2 entries

But it's not new (created in the last week), it's 32 days old. Checking the domain ( https://check-your-website.server-daten.de/?q=bgweiz.at#ct-logs ) there are 6 active Letsencrypt certificates (created in the last 90 days)

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
953666037 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-07 00:37:37 2019-09-05 00:37:37 mail.bgweiz.at - 1 entries duplicate nr. 1
902464894 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-09 13:34:52 2019-08-07 13:34:52 schule.bgweiz.at - 1 entries
898238216 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-07 03:15:12 2019-08-05 03:15:12 bgweiz.at, www.bgweiz.at - 2 entries
898238102 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-07 03:15:06 2019-08-05 03:15:06 moodle.bgweiz.at - 1 entries
885399717 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-04-29 00:10:37 2019-07-28 00:10:37 ev.bgweiz.at - 1 entries
852495505 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-04-08 00:43:48 2019-07-07 00:43:48 mail.bgweiz.at - 1 entries

and 69 Letsencrypt certificates complete. So that doesn't look this is your domain.

Please start with the basics.

Then check the list of clients:

So there are a lot of options how to create a certificate. Too much options.

Thanks for your answer.
I will studie it and try my best.

As I notice I think I have installed the cerbot client.
When I start certbot renew I will get

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/moodle.bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/schule.bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ev.bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/moodle.bgweiz.at/fullchain.pem expires on 2019-08-05 (skipped)
  /etc/letsencrypt/live/schule.bgweiz.at/fullchain.pem expires on 2019-08-07 (skipped)
  /etc/letsencrypt/live/ev.bgweiz.at/fullchain.pem expires on 2019-07-28 (skipped)
  /etc/letsencrypt/live/bgweiz.at/fullchain.pem expires on 2019-08-05 (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

I have also tried the command sudo certbot renew --dry-run with the resut:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/moodle.bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for moodle.bgweiz.at
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/moodle.bgweiz.at/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/schule.bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for schule.bgweiz.at
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/schule.bgweiz.at/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ev.bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ev.bgweiz.at
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ev.bgweiz.at/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/bgweiz.at.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bgweiz.at
http-01 challenge for www.bgweiz.at
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/bgweiz.at/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/moodle.bgweiz.at/fullchain.pem (success)
  /etc/letsencrypt/live/schule.bgweiz.at/fullchain.pem (success)
  /etc/letsencrypt/live/ev.bgweiz.at/fullchain.pem (success)
  /etc/letsencrypt/live/bgweiz.at/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

Can you informe me if the let’s encrypt will work now automaticle or how I can check this?
Kindly regards for any further answer.

1 Like

That looks good. You use Certbot, all certificates are active.

Perhaps it was a temporary problem.

That's

the next certificate. Should be renewed 30 days before expiration, so check that subdomain (via browser or use the online tool) 2019-07-01 to see, if the certificate is renewed.

Or check your configuration 2019-07-01 with

certbot certificates

to see, if that certificate is new.

Thanks for your answer.
So normal the certificate for all domain and subdomain will renew automaticle or must I do any more settings for automatic renew?
kindly regards again

1 Like

Normally, that should work. But

  • you have a lot of older certificates, so it looks that it had worked,
  • so it looks like a special exception and I don't see a reason.

So check the website 2019-07-01 to see, if it has worked.

Thanks for your answer and help.
I will check on 2019-07-01 and will informe here again.
kindly regards

1 Like

Hi!
I have check again my domains with

certbot certificates

but I notice that the first will expire later it is not the 2019-07-01 but the 2019-08-01.
kindly regards

Rechecked your domain there is a new certificate ( https://check-your-website.server-daten.de/?q=bgweiz.at#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-06-28 2019-09-26 ev.bgweiz.at - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-06-07 2019-09-05 mail.bgweiz.at - 1 entries
Let’s Encrypt Authority X3 2019-05-09 2019-08-07 schule.bgweiz.at - 1 entries
Let’s Encrypt Authority X3 2019-05-07 2019-08-05 bgweiz.at, www.bgweiz.at - 2 entries

ev.bgweiz.at is renewed, 2019-06-28. So the renew has worked.

And checking that domain - https://check-your-website.server-daten.de/?q=ev.bgweiz.at - there is the new certificate:

CN=ev.bgweiz.at
	28.06.2019
	26.09.2019
expires in 85 days	ev.bgweiz.at - 1 entry

So it had worked.

Hi!
Thanks a lot for your answer.
kindly regards

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.