This certificate has expired or is not yet valid

Note: My server had been properly configured with a correctly functioning “Lets Encrypt” certificate for the past 2-3 years. And I guess that it must have been automatically updated regularily via the respective plesk configuration during those years (it’s been running so long that I don’t even remember if I had done any manual configuration steps when I first activated it - also via plesk - some years ago). The problem suddenly started today 23-Dec-2019 and for some reason the currently used certificate is valid 24-Sep-19 to 23-Dec-19, i.e. it expired today and WASN’T replaced by a new one in time and now all the web browers obviously complain when accessing my domain.

The same certificate is used for my 2 sub-domains www.wothke.ch and webmail.wothke.ch.

I am not aware of any recent changes on “my” server - and in case my hoster actually did change something on the configuration, he doesn’t tell me. (In fact he acts as if he wanted to convice his existing “Lets Encrypt” users to switch to some of the other offerings that he is trying to sell.)

I already tried to use the respective plesk UI to manually trigger an update of the certificate and the “success message” in the plesk UI suggests that a new “Lets Encrypt” certificate has actually been installed - however that “new” certificate then still uses that very same expired validity range and produces the very same problems.

Any ideas where the problem originates and what to do about it?

My domain is: webmail.wothke.ch

I ran this command: https://webmail.wothke.ch

It produced this output: “This certificate has expired or is not yet valid.
Valid from 24-Sep-19 to 23-Dec-19”

My web server is (include version): I guess that my hoster is using nginx and my only means to manipulate the servers configuration is through the PLESK UI that my hoster provides. I have no idea what exact version he might be using.

The operating system my web server runs on is (include version): no idea, probably Linux

My hosting provider, if applicable, is: servertown.ch

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): plesk (I didn’t see any version number in that crappy UI; but here is a link to the respective login page in case that migh help https://www05.servertown.ch:8443/)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): na

Hi,

Since you are using Plesk and might used Let’s Encrypt add-on (plugin) that come with plesk, have you tried to use Let’s Encrypt plugin and request a new certificate?

Also, if you don’t have shell access or admin access to Plesk panel, the best way to resolve such issue is to contact your hosting provider.

Thanks

Like I said above, that is exactly what I already tried to fix the problem. I repeated that process just now. Using the respective plesk functionalities (aka plugin):

1. I disabled SSL and completely
2. deleted all previous certificates
3. created & installed a new certificate using “Let’s Encrypt” plesk plugin

=> I am getting success message: “Information: Das SSL/TLS-Zertifikat von Let’s Encrypt wurde auf wothke.ch installiert.” (i.e. install supposedly was successful)

When base64 decoding the respective new certificate shown in plesk (i.e. the one that supposedly was successfully installed), I see stuff like:
…
Let’s Encrypt1#0!ULet’s Encrypt Authority X30
191223201957Z
200322201957Z010U wothke.ch0"0
…
and I guess that the last two lines actually show the new valid range, i.e.
23-12-2019 to 22-03-2020.

But for some reason that new certificate DOES NOT seem to get used, and when I open a webpage on my domain I still get the same browser error message with the old expired certificate (in Chrome as well as in Firefox).

Hi,

I feel like you’ll need to bring this to your hosting provider, because they might need to restart nginx / apache manually (hence flush the cache).

Thanks

There might be some update to your Plesk system, but only your hosting provider would be affected, and generally it would only affect new issuance, instead of certificate update (nginx/Apache cache).

Hi @wothke

yep, the certificates are created, that has hitted the limit. But the installation didn't work.

There were Letsencrypt changes (GET -> POST), but that's not your problem. The certificate creation has worked, the installation not.

Is it possible to find one of these new certificates? So you are able to install it manual?

Perhaps ask in the Plesk forum to find the certificates. I don't use Plesk, so I don't know these details.

I see the base64 encoded CSR/key/crt/-ca.crt parts of the last attempt I had made to install an updated certificate in the respective Plesk UI. (I had repeatedly tried to get/install an updated certificate on 23-12-2019: I did this using the "Let's encrypt" plugin available in the Plesk, i.e. I just pressed some "update" button and everything else is supposed to be done automatically in the background. It seems that at some point I hit the 5-attempts per week limit and I don't know if the respective data that I currently see in the admin-UI is still a usable certificate or if it is something that just says "you've hit the 5-attemps limit" - the base64 decoded data of the certificate suggests that it is an updated version with a validity starting at the time I created it). Unfortunately I already deleted all the previous versions and I only have this last one left.

The only means I have to manually update a certificate is a respective "upload" form in the Plesk UI. But I have no idea where the respective configuration actually ends up on the server, nor do I have direct access to the respective configuration.

Just now I used the respective UI to upload a copy of the "Let's Encrypt" certificate that I have (just to check if that dialog might behave differently than the automated "Let's Encrypt" plugin functionality). But it doesn't seem to make any difference: The UI reports that the copied certificate is being used - but it isn't and I still get the same browser-error caused by the expired old certificate.

I also checked the error logs and there are no new entries that might suggest that something went wrong while installing the certificate.

That probably means your hosting provider have some issue...
I use Plesk for some of my domains, and if there's any similar issue it's probably due to the web server not restarted.

PS: what exactely does "installation didn't work" mean in this context?

a) at that stage, is there still any kind of handshaking with the "Lets encrypt" infrastructure involved - that might still fail? or:

b) is it that my Hoster has actually downloaded the respective updated certificate (he must have since it is displayed in the respective admin-UI) and therefore has everything needed to perform the install, i.e. if he fails to do so he cannot blame anybody else?

Letsencrypt isn't involved if the certificate is created, but if your software or your hoster isn't able to install the certificate.

Buggy local software -> you or your hoster has to fix it.

So it's a local problem.

thanks, that's what I thought.. unfortunately the only admin-interface (Plesk) that my hoster Servertown makes available to his customers doesn't even allow to properly remove an old certificate let alone upload a new one.. I have no access rights to fix anthing on web server configuration directely.

Unfortunately my hoster is in complete denial ("ich kann Ihnen nicht helfen ... Lets encrypt macht häufig Probleme wie man problemlos im Internet nachlesen kann.") so the only way for me to fix this issue is to migrate my stuff to another hoster .. what a bummer!

Schicken Sie ihm einen Link zu diesem Beitrag. Das ist eine Ausrede. Das Zertifikat ist im CT-Log sichtbar, also ist das ein ausschließlich lokales Installationsproblem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.