The expiration date does not change after automatic renewal

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Auto renewal

It produced this output: The expiration date does not change after automatic renewal.(wacs.exe in cmd)

My web server is (include version):

The operating system my web server runs on is (include version): Windows

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): We're not using cerbot.

The expiration date does not change after automatic renewal.

It was first renewed on May 10. The expiration date was August 8. June 20th is the automatic renewal date. I checked if it was automatically renewed on June 20th, but when I connected cmd to admin mode and ran wacs, the expiration date remained the same on August 8th. The expiration date should be changed to September 18th, but it hasn't been changed. In the \ProgramData\win-acme\acme.api.letsencrypt.org~~~.renewal.json file, the history shows that the expiration date has changed as follows, but the expiration date has not changed in the cmd window.
"Date": "2022-06-20T00:38:00.6993809Z",
"ExpireDate": "2022-09-18T08:38:12+09:00",
"Abort": false,
"Success": true,
It seems that 4 .pem files have been changed to June 20th.

What I'm curious about is

  1. Based on my situation, is the certificate updated properly?
  2. If it has been updated properly, why can't I change the expiration date by running wacs on cmd and how can I change it?
  3. If it hasn't been updated properly, how can I get automatic renewal to work properly? (Automatic renewal used to be registered in the job scheduler while installing win-acme.)
2

If you can provide a real domain we can probably tell you if the certificate is renewing.

I see you have an win-acme issue open, perhaps there is a bug in how the expiredate value is displayed/populated, but I'd imagine you can safely ignore it if you actual website is updating.

6 Likes
3

The domain is : winrds.kccworld.net

Has the expiration date been properly changed to September 18th?

How can I check if the expiration date has been changed properly?

4

Thanks, I can see from https://crt.sh/?q=winrds.kccworld.net that you renewed the certificate on the 19th.

I am assuming from the name this is not used for a website so unfortunately I can't connect to anything to test the certificate being served. When the certificate is renewed the latest cert will be stored in the windows certificate store, you are then running a script to apply the certificate to your service (I am assuming from the name it's Remote Desktop services) but only you know what that script is and what it's applying the certificate to. If you're not running the script (or win-acme isn't doing it for you), then you're renewing your cert but not applying it.

In general you can check the expiry date of a certificate on a service using openssl (if installed, this example is running from linux using WSL) using openssl s_client -servername <hostname> -connect <hostname>:<port> 2>/dev/null | openssl x509 -noout -dates where <hostname> is either the name or ip of your host and <port> is your service port.

6 Likes
5

  1. You said it was renewed, but when I ran wacs on cmd, would it not be renewed properly if the expiration date was the same as the date before it was renewed?

  2. However, in the \ProgramData\winacme\acme.api.letsencrypt.org~~~.renewal.json file, the history shows that the expiration date has been updated as follows.
    "Date": "2022-06-20T00:38:00.6993809Z",
    "ExpireDate": "2022-09-18T08:38:12+09:00",
    "Abort": false,
    "Success": true,

Is it a simple error that the expiration date was not extended by running wacs on cmd? Has it not been updated properly?

  1. Is there a way to check the certificate expiration date in Windows environment?
6

I can only see what the public certificate transparency log says. This is your system and your certificate, folks like me can try to help but really it's all yours to understand.

Yes this seems like an error at first but I suspect win-acme is just not renewing the cert and is instead presenting information about the most recently cached cert. If you are just running the command it may see that there is a perfectly valid certificate with months left to go before expiry and use the cache cert instead.

You can check the stored certificate using using certlm.msc (depending on which version of windows you are using). Manage Computer Certificates > Personal > Certificates or Web Hosting > Certificates depending on where win-acme has stored them.

6 Likes
7

Thank you for reply.

  1. If I can't find a certificate related to winacme in certlm.msc, where should I find it? (Windows Environment)

  2. Your words are ~~~~ in the \acme-v02.api.letsencrypt.org folder, regardless of the expiration date that you checked through wacs run in cmd.Are you saying that the expiration date in the history of renewal.json could be the real expiration date?

  3. What you can see as the real expiration date is the expiration date that you can check by running wacs in cmd, or in the folder \ProgramData\win-acme\acme-v02.api.letsencrypt.org.Is the expiration date in the history of renewal.json?

1 Like
8

Sorry I can't help much more than I already have for win-acme, I work on an alternative windows app https://certifytheweb.com which I can help more with.

If you can't find your certificate using certlm.msc (under Personal/My or Web Hosting) then it appears your certificate is not installed, however that's very unlikely as the default behaviour of win-acme would store the cert.

4 Likes
9

  1. If you can't find the certificate in certlm.msc, is it wrong to issue the certificate, so the certificate can't be updated properly?

  2. Then, should I manually renew the certificate?

10

If the certificate is not in the computer certificate store then there is something fundamentally wrong with your configuration.

I actually think you should remove the renewal in win-acme and just start again because you are currently in an inconsistent state that you don't understand and nobody else can really help you with.

7 Likes
11

So if you check the before renewal certificate
and the after renewal certificate with a tool like
https://redkestrel.co.uk/products/decoder/
You get the same results? Seems hard to believe. I am curious tough.

Also there is SSL Certificate Check so that you can easily test the running certificate and get the PEM of the certificate.

4 Likes
12

Sounds like maybe the webserver wasn't restarted to use the newer cert ... ???

8 Likes
13

Yeah, if one has the certificate but is not using the certificate (and still using an old one) the expiration date would not change as the certificate in use, itself has not changed. :neutral_face:

4 Likes
14

How do I restart the Web server to use the latest certificate?

15

When I checked by running wacs on cmd, it said that the win-acme was automatically renewed and the history said that the renewal was successful.

  1. How do I check if I have the latest certificate?

  2. How do I use the latest certificate from my old certificate?

1 Like
16

If I entered the domain in the ssl certificate inspection but the inspection is not done, is the certificate not updated properly?

1 Like
17

Hard to say...

What web server are you using?

5 Likes
18

Thanks for reply.

Server is : ~~ .rr.com

19

No, we are looking for the kind of server ... Apache, nginx, IIS, tomcat, ...

3 Likes
20

OS is : Windows
I applied it according to IIS.