SSL is valid, but browser doesn’t think so

My domain is: pipperweb.com

I ran this command: sudo certbot renew

It produced this output: /etc/letsencrypt/live/pipperweb.com/fullchain.pem expires on 2019-09-01 (skipped)

My web server is (include version): Apache (installed via brew)

The operating system my web server runs on is (include version): macOS 10.14.5

My hosting provider, if applicable, is: MacStadium

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot version 0.34.2 (via brew also)

The domain listed shows that it is valid until October of 2019, but when I visit the URL in any web browser it shows the cert expired 12 days ago

Hi @dennispipper

your certificate is incomplete.

You have two certificates created ( https://check-your-website.server-daten.de/?q=pipperweb.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-07-08 2019-10-06 pipperweb.com - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-06-03 2019-09-01 pipperweb.com, www.pipperweb.com - 2 entries

But you use the wrong with only one domain name:

CN=pipperweb.com
	08.07.2019
	06.10.2019
expires in 90 days	pipperweb.com - 1 entry

Result: Your www has the wrong certificate, your non-www has the correct certificate.

Domainname Http-Status redirect Sec. G
http://pipperweb.com/
207.254.73.85 301 https://pipperweb.com/ 0.334 A
http://www.pipperweb.com/
207.254.73.85 301 https://www.pipperweb.com/ 0.337 A
https://www.pipperweb.com/
207.254.73.85 301 https://pipperweb.com/ 1.890 N
Certificate error: RemoteCertificateNameMismatch
https://pipperweb.com/
207.254.73.85 200 2.546 B

But if a user uses the http + www version, then the redirect doesn't work, because the wrong certificate blocks.

PS: I don't see an expired certificate, I see a wrong certificate.

What says

certbot certificates

apachectl -S

@JuergenAuer

You are right, also I didn’t mention that I have several domains on the server.

certbot certificates results:

Found the following certs:
Certificate Name: anchorliving.net
Domains: anchorliving.net www.anchorliving.net
Expiry Date: 2019-08-19 21:03:23+00:00 (VALID: 41 days)
Certificate Path: /etc/letsencrypt/live/anchorliving.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/anchorliving.net/privkey.pem
Certificate Name: anchorphoto.com
Domains: anchorphoto.com www.anchorphoto.com
Expiry Date: 2019-09-01 21:05:16+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/anchorphoto.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/anchorphoto.com/privkey.pem
Certificate Name: fogba.com
Domains: fogba.com www.fogba.com
Expiry Date: 2019-08-19 21:03:31+00:00 (VALID: 41 days)
Certificate Path: /etc/letsencrypt/live/fogba.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/fogba.com/privkey.pem
Certificate Name: iprof.net
Domains: iprof.net www.iprof.net
Expiry Date: 2019-09-01 21:05:22+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/iprof.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iprof.net/privkey.pem
Certificate Name: iprof.us
Domains: iprof.us www.iprof.us
Expiry Date: 2019-09-19 21:04:36+00:00 (VALID: 72 days)
Certificate Path: /etc/letsencrypt/live/iprof.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iprof.us/privkey.pem
Certificate Name: pipper.net
Domains: pipper.net www.pipper.net
Expiry Date: 2019-04-21 22:00:36+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/pipper.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pipper.net/privkey.pem
Certificate Name: pipperweb.com-0001
Domains: pipperweb.com
Expiry Date: 2019-10-06 19:59:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pipperweb.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pipperweb.com-0001/privkey.pem
Certificate Name: pipperweb.com
Domains: pipperweb.com www.pipperweb.com
Expiry Date: 2019-09-01 21:05:37+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/pipperweb.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pipperweb.com/privkey.pem
Certificate Name: spartn.com
Domains: spartn.com www.spartn.com
Expiry Date: 2019-09-01 21:05:41+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/spartn.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/spartn.com/privkey.pem
Certificate Name: spartn.xyz
Domains: spartn.xyz www.spartn.xyz
Expiry Date: 2019-09-01 21:05:45+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/spartn.xyz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/spartn.xyz/privkey.pem

apachectl -S returns:

VirtualHost configuration:
*:80 is a NameVirtualHost
default server spartn.com (/usr/local/etc/httpd/extra/vhosts/000_spartn.com.conf:2)
port 80 namevhost spartn.com (/usr/local/etc/httpd/extra/vhosts/000_spartn.com.conf:2)
alias www.spartn.com
port 80 namevhost anchorliving.net (/usr/local/etc/httpd/extra/vhosts/anchorliving.net.conf:24)
alias www.anchorliving.net
port 80 namevhost anchorphoto.com (/usr/local/etc/httpd/extra/vhosts/anchorphoto.com.conf:24)
alias www.anchorphoto.com
port 80 namevhost fogba.com (/usr/local/etc/httpd/extra/vhosts/fogba.com.conf:24)
alias www.fogba.com
port 80 namevhost iprof.net (/usr/local/etc/httpd/extra/vhosts/iprof.net.conf:24)
alias www.iprof.net
port 80 namevhost iprof.us (/usr/local/etc/httpd/extra/vhosts/iprof.us.conf:24)
alias www.iprof.us
port 80 namevhost pipper.net (/usr/local/etc/httpd/extra/vhosts/pipper.net.conf:24)
alias www.pipper.net
port 80 namevhost pipperweb.com (/usr/local/etc/httpd/extra/vhosts/pipperweb.com.conf:24)
alias www.pipperweb.com
port 80 namevhost spartn.xyz (/usr/local/etc/httpd/extra/vhosts/spartn.xyz.conf:24)
alias www.spartn.xyz
*:443 is a NameVirtualHost
default server spartn.com (/usr/local/etc/httpd/extra/vhosts/000_spartn.com.conf:10)
port 443 namevhost spartn.com (/usr/local/etc/httpd/extra/vhosts/000_spartn.com.conf:10)
alias www.spartn.com
port 443 namevhost anchorliving.net (/usr/local/etc/httpd/extra/vhosts/anchorliving.net.conf:32)
alias www.anchorliving.net
port 443 namevhost anchorphoto.com (/usr/local/etc/httpd/extra/vhosts/anchorphoto.com.conf:32)
alias www.anchorphoto.com
port 443 namevhost fogba.com (/usr/local/etc/httpd/extra/vhosts/fogba.com.conf:32)
alias www.fogba.com
port 443 namevhost iprof.net (/usr/local/etc/httpd/extra/vhosts/iprof.net.conf:33)
alias www.iprof.net
port 443 namevhost iprof.us (/usr/local/etc/httpd/extra/vhosts/iprof.us.conf:33)
alias www.iprof.us
port 443 namevhost pipper.net (/usr/local/etc/httpd/extra/vhosts/pipper.net.conf:32)
alias www.pipper.net
port 443 namevhost pipperweb.com (/usr/local/etc/httpd/extra/vhosts/pipperweb.com.conf:36)
alias www.pipperweb.com
port 443 namevhost spartn.xyz (/usr/local/etc/httpd/extra/vhosts/spartn.xyz.conf:32)
alias www.spartn.xyz
ServerRoot: “/usr/local/opt/httpd”
Main DocumentRoot: “/Users/pipper/Sites”
Main ErrorLog: “/usr/local/var/log/httpd/error_log”
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/usr/local/var/run/httpd/" mechanism=default
PidFile: “/usr/local/var/run/httpd/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“pipper” id=502
Group: name=“staff” id=20

There

is the certificate you need.

That's good, one vHost with both domain names

That's good - same reason.

So you have the certificate and a vHost with both domains.

So try

certbot -d pipperweb.com -d www.pipperweb.com

Certbot should find the certificate and should ask, if you want to install it.

1 Like

That did the trick! Thank you for the super fast reply!

Dennis

2 Likes

A post was split to a new topic: Browser says, certificate is invalid, Certbot says, it’s ok

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.