SSL certificate status still expired after successful renewal

we are running node.js webserver. not nginx.

1 Like

Thank you for the details. sounds like I need to change node js to not using greenlock and use certbot. let me figure it out.

1 Like

I don't know if Certbot is more indicated than greenlock. But, I don't know the node.js stack at all.

Find the appropriate documentation and read it, please. :slight_smile:

3 Likes

Then what was this all about?

3 Likes

Here what I found. I don't know it's related.
"acme-challenge" in Greenlock pointed to leHTTPChallenge which is located at the folder :
/var/www/datacook/.well-known/acme-challenge'

But when we renew or install on certbot. it didn't update any files under challenge directory.
the challenge has files older than 2019? is this a problem?

/var/www/datacook/.well-known/acme-challenge$ ls -alt

total 20

drwxrwxr-x 2 ubuntu ubuntu 4096 Nov 5 2019 .

-rwxrwxr-x 1 ubuntu ubuntu 88 May 15 2019 xhJtMlt3qjPZiMQDe8ZY8BW6cgcXVqeBh82NKdLu374

-rwxrwxr-x 1 ubuntu ubuntu 88 Feb 22 2019 m8TjnXK9KG_k6aoj5yp7rhvSssWT6JYY0B1X32uuwIU

HOW Do I need to change challengeType to lookat 'certbot' folder?

Your host datacook.org claims it's a nginx 1.4.6 server running on Ubuntu.

The host datacook.org is sending the correct certificate, issued yesterday. www.datacook.org however is sending the incorrect certificate: just for datacook.org. But it is not expired as your thread title claims.

Also note that challenges are temporary and once used the tokens can be removed.

By the way, why is your domain using a IPv4-Mapped IPv6 Address as the value of its AAAA record? I don't really see any use for that to be honest. It's not really IPv6 and most if not all modern software is dualstack, so why bother :slight_smile:

3 Likes

yes I was testing nginx and see if the certificate is valid or not. I will check www domain. Thanks for pointing out Osiris.

I am not good week network setting. if not using AAAA record, what should I use for domain address? and where should I set up?

I started up node js and now it says 'certificate is valid' but 'connection' is not secure. is that because from www domain?

Please go to https://datacook.org

What says that? Does it provide any more details about "not secure"? Because I agree the cert looks fine.

It is not because of www subdomain. Does the message say anything about TLSv1 or TLSv1.1 (both of which you are supporting but maybe should not)?

3 Likes

I am not sure. I just replace www domain certificate. just in case. but didn't help.

certbot certonly -d www.datacook.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.datacook.org.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.datacook.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.datacook.org/privkey.pem
    Your cert will expire on 2022-07-09. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Hi, MikeMcQ. I think it's my browser setting. I used other computer browser it seems working. I don't know replacing www domain certificate helped (or not) not sure. Thanks.

2 Likes

Hi, Osiris.
if not using AAAA record, what should I use for domain address? and where should I set up? Thanks. I think I am almost resolving this issue.

1 Like

Why would you force renew a perfectly fine certificate?

My advice would be to only have the actual IPv6 address in the AAAA record. If your websites server does not have an IPv6 address, it's probably better to just remove the AAAA record.

3 Likes

Thanks Osiris. That's one of our questions too.
I remembered the initial certbot installation last year 2021, we got an error with AAAA related but I guess with A record it should have worked right?

Please see this old log. "To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address."


sudo certbot renew -a webroot -w /var/www/html --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/datacook.org.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for datacook.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (datacook.org) from /etc/letsencrypt/renewal/datacook.org.conf produced an unexpected error: Failed authorization procedure. datacook.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://datacook.org/.well-known/acme-challenge/CRyRdYqKX4ymjGJjnkOwwdkQLUbP_GYVEuiowYCMEBU [2607:f1c0:100f:f000::234]: 204. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/datacook.org/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/datacook.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: datacook.org
Type: unauthorized
Detail: Invalid response from
http://datacook.org/.well-known/acme-challenge/CRyRdYqKX4ymjGJjnkOwwdkQLUbP_GYVEuiowYCMEBU
[2607:f1c0:100f:f000::234]: 204

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.


2 Likes

Thank you every experts who responded for me to go through. the site says secure.

Next renewal in July, I will do the step1: certbot renew step2:certbot install
or should I just do certbot install

Please confirm from @9peppe.

2 Likes

certbot renew should be enough. If it's even needed.

2 Likes

Correct, having just IPv4 is fine, IPv6 isn't mandatory. Maybe your IPv6 settings earlier were incorrect and/or your webserver wasn't configured properly, I don't know.

By the way, currently your HTTP isn't redirecting to HTTPS and your https://www.datacook.org still provides the incorrect certificate.

4 Likes

Osiris. Thanks for pointing out for www domain certificate.

From server, I see the certificate is reissued. but ssl certificate report says 'certificate mismatch'.
Here is the command.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:

Certificate Name: www.datacook.org
Domains: www.datacook.org
Expiry Date: 2022-07-09 18:05:06+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/www.datacook.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.datacook.org/privkey.pem


Here is the result from "certbot certonly -d www.datacook.org"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)

2: Spin up a temporary webserver (standalone)

3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2

Plugins selected: Authenticator standalone, Installer None

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/www.datacook.org.conf)

What would you like to do?


1: Keep the existing certificate for now

2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

  1. for install, here is the log. but the site does not use nginx. so got this error.

certbot install -d www.datacook.org

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator None, Installer nginx

Which certificate would you like to install?


1: datacook.org-0001

2: www.datacook.org


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Could not automatically find a matching server block for www.datacook.org. Set the server_name directive to use the Nginx installer.

2 Likes

It's missing the apex domain name.

And it seems your Node.js is still using some older certificate with just datacook.org.

My advice:

  • Get a single certificate with both hostnames (datacook.org as wel as www.datacook.org)
  • Configure Node.js to use the correct certificate
  • Make sure Node.js is reloaded after future renewal of this certificate, so it always uses the correct cert
4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.