Ssllabs says cert expired Jan 17th but Lets Encrypt says not due for renewal


#1

Please fill out the fields below so we can help you better.

I ran this command:sudo letsencrypt renew

It produced this output:The following certs are not due for renewal yet:
/etc/letsencrypt/live/.com/fullchain.pem (skipped)
No renewals were attempted.

My operating system is (include version): Ubuntu 16.10.1

My web server is (include version): Apache2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no - direct ssh

I can’t for the life of me figure out why the renewal attempt says certs are not due for renewal but ssllabs clearly shows certs expired over a month ago. I’ve confirmed that there is only a single folder in my /etc/letsencrypt/live folder and it has the expected cert, chain, fullchain and privkey.

Any ideas what to try next?


#2

This is typically because you haven’t reloaded / restarted apache - so it’s still using the old certs. Try reloading apache

service apache2 reload

and then check what the expiry date is on the https.


#3

Guess I should have clarified in my first post. Apache has been reloaded. I’ve even rebooted the server. There are no other certs on this server as it’s a brand new server setup and I’m trying to register the cert for the new server.


#4

I’m a little confused … is this a brand new server that you are trying to obtain certificates for ? or a renewal of existing certs ?

Can you check the cert here, and see what the date of it is ?

In your apache config, what file does it refer to for SSLCertificateFile ?


#5

Yeah this one is seriously stumping me. It’s a new server that I’m moving an existing domain to. The domain was successfully registered on a different server but simply didn’t have the resources I needed so installed a new server and tried to get certs setup.

The last modified date of the cert file is today (Feb 22). The /etc/letsencrypt/live/mydomain.com/ folder has links that point to an archive folder for each of the 4 files. The archive folder path is /etc/letsencrypt/archive/mydomain.com/ and inside this archive folder, I can find all 4 of the expected files. They also have a modified date of today (Feb 22).

Apache config file has the following…(these are the only entries for certs and there is no other virtual host setup)

SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

Everything I look at tells me this should be working.

I thought maybe it was related to HSTS so I removed the domain from my browsers HSTS and restarted the server and still getting the same thing. Since I am seeing expired certs through various browsers as well as Ssllabs, my assumptions is that the certs are in fact expired and there is something broken with the letsencrypt renew process.


#6

I also tried to point Apache directly to the archive files instead of the links in the LIVE folder but Apache refuses to reload when I try that.


#7

When do the certs expire ? i.e.

openssl x509 -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -noout -text | grep Validity -A2

what’s your domain name ?


#8
    Validity
        Not Before: Feb 22 08:32:00 2017 GMT
        Not After : May 23 08:32:00 2017 GMT

#9

OK - so the certificates are correct - but for some reason you are not using them on that server

What’s your domain name ?


#10

Well don’t I feel like an idiot.

I checked with the guys running network security and they apparently forgot to make the appropriate changes on the Sophos UTM. They use Sophos as a WAF and it serves as the proxy. When certs renew, they also need to renew the cert loaded to Sophos. They forgot to do this even though I checked and confirmed before doing all this.

Apologies for wasting your time.


#11

Glad you got it sorted.

If you had provided your domain name (as requested multiple times ) this would have been resolved much quicker.


#12

Not sure how that would have resolved anything since you would have seen exactly what I was seeing…an expired cert warning. But in any case, this was very helpful. Thanks for walking through this.


#13

I’d have seen that it was coming from your Sophos UTM machine, rather than your server.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.