Ssllabs says cert expired Jan 17th but Lets Encrypt says not due for renewal

Please fill out the fields below so we can help you better.

I ran this command:sudo letsencrypt renew

It produced this output:The following certs are not due for renewal yet:
/etc/letsencrypt/live/.com/fullchain.pem (skipped)
No renewals were attempted.

My operating system is (include version): Ubuntu 16.10.1

My web server is (include version): Apache2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no - direct ssh

I can’t for the life of me figure out why the renewal attempt says certs are not due for renewal but ssllabs clearly shows certs expired over a month ago. I’ve confirmed that there is only a single folder in my /etc/letsencrypt/live folder and it has the expected cert, chain, fullchain and privkey.

Any ideas what to try next?

This is typically because you haven't reloaded / restarted apache - so it's still using the old certs. Try reloading apache

service apache2 reload

and then check what the expiry date is on the https.

Guess I should have clarified in my first post. Apache has been reloaded. I’ve even rebooted the server. There are no other certs on this server as it’s a brand new server setup and I’m trying to register the cert for the new server.

I'm a little confused .... is this a brand new server that you are trying to obtain certificates for ? or a renewal of existing certs ?

Can you check the cert here, and see what the date of it is ?

In your apache config, what file does it refer to for SSLCertificateFile ?

Yeah this one is seriously stumping me. It’s a new server that I’m moving an existing domain to. The domain was successfully registered on a different server but simply didn’t have the resources I needed so installed a new server and tried to get certs setup.

The last modified date of the cert file is today (Feb 22). The /etc/letsencrypt/live/ folder has links that point to an archive folder for each of the 4 files. The archive folder path is /etc/letsencrypt/archive/ and inside this archive folder, I can find all 4 of the expected files. They also have a modified date of today (Feb 22).

Apache config file has the following…(these are the only entries for certs and there is no other virtual host setup)

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Everything I look at tells me this should be working.

I thought maybe it was related to HSTS so I removed the domain from my browsers HSTS and restarted the server and still getting the same thing. Since I am seeing expired certs through various browsers as well as Ssllabs, my assumptions is that the certs are in fact expired and there is something broken with the letsencrypt renew process.

I also tried to point Apache directly to the archive files instead of the links in the LIVE folder but Apache refuses to reload when I try that.

When do the certs expire ? i.e.

openssl x509 -in /etc/letsencrypt/live/ -noout -text | grep Validity -A2

what's your domain name ?

        Not Before: Feb 22 08:32:00 2017 GMT
        Not After : May 23 08:32:00 2017 GMT

OK - so the certificates are correct - but for some reason you are not using them on that server

What’s your domain name ?

Well don’t I feel like an idiot.

I checked with the guys running network security and they apparently forgot to make the appropriate changes on the Sophos UTM. They use Sophos as a WAF and it serves as the proxy. When certs renew, they also need to renew the cert loaded to Sophos. They forgot to do this even though I checked and confirmed before doing all this.

Apologies for wasting your time.

1 Like

Glad you got it sorted.

If you had provided your domain name (as requested multiple times ) this would have been resolved much quicker.

Not sure how that would have resolved anything since you would have seen exactly what I was seeing…an expired cert warning. But in any case, this was very helpful. Thanks for walking through this.

I’d have seen that it was coming from your Sophos UTM machine, rather than your server.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.