Trying to renew got message Cert not yet due for renewal

Help
#1

Get an email yesterday:

Your certificate (or certificates) for the names listed below will expire in
0 days (on 16 Jun 17 17:46 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.
mobiledatabook.net
www.mobiledatabook.net

Trying to renew:
./certbot-auto renew
get following messageL
Cert not yet due for renewal

#2

There appear to be two certs for that domain:

https://crt.sh/?id=105832654
Not Before: Mar 18 18:03:00 2017 GMT
Not After : Jun 16 18:03:00 2017 GMT

https://crt.sh/?id=145078563
Not Before: May 27 17:49:00 2017 GMT
Not After : Aug 25 17:49:00 2017 GMT

Unfortunately the one being served is the one that is expired:
https://dev.ssllabs.com/ssltest/analyze.html?d=www.mobiledatabook.net&hideResults=on

#3

Thank you - what do you recommend to do?

how to remove
Not Before: Mar 18 18:03:00 2017 GMT
Not After : Jun 16 18:03:00 2017 GMT

This command:
./certbot-auto certificates
is returning:

Found the following certs:
Certificate Name: mobiledatabook.net
Domains: mobiledatabook.net mobiledatabooks.net www.mobiledatabook.net www.mobiledatabooks.net
Expiry Date: 2017-08-25 17:49:00+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mobiledatabook.net/privkey.pem

or how to remove mobiledatabook.net and www.mobiledatabook.net and get certificate only for mobiledatabooks.net and www.mobiledatabooks.net?

#4

Show your server configuration file.
The part that uses the certificate.

#5

I am using:
/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
/etc/letsencrypt/live/mobiledatabook.net/privkey.pem

in fullchain.pem I see two certificates:
-----BEGIN CERTIFICATE-----
1st …
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2nd…
-----END CERTIFICATE-----

#7

Try to find the location of all fullchain.pem files:
find / -name fullchain.pem

#8

You mean to delete this one:
----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgISA3wx9eE9T3int/h5fw0d/6jMMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxODAzMDBaFw0x
NzA2MTYxODAzMDBaMB0xGzAZBgNVBAMTEm1vYmlsZWRhdGFib29rLm5ldDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkjnvSyQ2B3W1xa0U9U1Kc1ubpL
ef6yFBlkynEDNBMQ9hzvgKcpUSDbMshQhI8U9QDzJa1js1necf6KesfZ/m+eezbw
Yauk7Yf8d/daqYjOxmxLQ1JZiZYX6Y0OVAnpIlBTZSqwosFPWza/LWHzkQGr3Wjo
s7qzsKTEbsqaHyJ38UdlfzuUb6yRbwmtEclGbDJvYPgcihox1y/WL09rq7Tw8uIw
nH0YRkc5LIR8tsyI/ctGzpB+NU1P6T5Kx8/LA6lTn7tajlQt7gtPb/pYBCl/uWMr
1OKjmyYHNUwMEyU2MGu46325AMU+6/pgpkn1PddlQl35aJg9URsu3O/4eQkCAwEA
AaOCAlkwggJVMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUp1By3SDBzapUxzBGAlZk
TIESGyowHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUH
AQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wYwYDVR0RBFwwWoISbW9iaWxlZGF0YWJvb2submV0ghNtb2JpbGVk
YXRhYm9va3MubmV0ghZ3d3cubW9iaWxlZGF0YWJvb2submV0ghd3d3cubW9iaWxl
ZGF0YWJvb2tzLm5ldDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC
3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3Jn
MIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUg
cmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29y
ZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBz
Oi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IB
AQATwtgRYaFjTiqOcugqBKE/AsGteh1fPW+fVD2V8KkKRidwhMIvTYwnJksQ5s9M
3EABIieCgepbvzlQTLqkm2LzGM7S+ClECdF5lOjqSgSO467NcWIs4NXiL4oF4VUK
iuPolfGJlehjYLM4M6OLKKSc3RoIz6lKNpiOwLUlOH7P7D2omykpJIHoyNTMJ0Ii
wiS33RfONuLl3qKclf1IEE9HTUnAUiH1uJIIYzAShEADFLoajlAX9rJoQNekMjUD
1vmUS8OEGLOK5XzKQqEtvQ51SJU+9PPXCgSn30JviHjtN1c7jQ6OifKQoAZ5rVwq
IkgY3SqAXKtp54Fq5AWA/Bnw
-----END CERTIFICATE-----

from ullchain.pem file?

#9

NO DO NOT DELETE ANYTHING.
The cert I showed was the expired one.
The cert you showed is the same.
So, we are agreed that you are serving the expired cert.
Now we need to find the cert that is NOT expired.

Find the correct file location first.

#10

I am looking in /etc/letsencrypt/archive/mobiledatabook.net - there are fullchain1.pem … fullchain6.pem

#12

here it is:
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain1.pem
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain2.pem
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain3.pem
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain4.pem
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain6.pem
/private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
/Users/MyServer/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/tests/testdata/sample-archive/fullchain1.pem

#14

sudo ls -l /private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
lrwxr-xr-x 1 root wheel 47 May 27 11:48 /private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem -> …/…/archive/mobiledatabook.net/fullchain6.pem

sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem
-rw-r–r-- 1 root wheel 3546 Mar 18 12:03 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem

fullchain5.pem still contains:

-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgISA3wx9eE9T3int/h5fw0d/6jMMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxODAzMDBaFw0x
… shortened to save paper and electrons - lol …
wiS33RfONuLl3qKclf1IEE9HTUnAUiH1uJIIYzAShEADFLoajlAX9rJoQNekMjUD
1vmUS8OEGLOK5XzKQqEtvQ51SJU+9PPXCgSn30JviHjtN1c7jQ6OifKQoAZ5rVwq
IkgY3SqAXKtp54Fq5AWA/Bnw
-----END CERTIFICATE-----

But I see fullchain4.pem has different one in place of the above

#16

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain*.pem
ls: /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain*.pem: No such file or directory

I will get the dates one by one

#17

Now we compare dates.
Please show all of them:
sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain1.pem
sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain2.pem
sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain3.pem
sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain4.pem
sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem
sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain6.pem
sudo ls -l /private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem

#18

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain1.pem
-rw-r–r-- 1 root wheel 3485 Aug 4 2016 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain1.pem

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain2.pem
-rw-r–r-- 1 root wheel 3485 Oct 21 2016 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain2.pem

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain3.pem
-rw-r–r-- 1 root wheel 3485 Jan 2 09:30 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain3.pem

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain4.pem
-rw-r–r-- 1 root wheel 3485 Mar 18 11:45 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain4.pem

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem
-rw-r–r-- 1 root wheel 3546 Mar 18 12:03 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem

sudo sudo ls -l /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain6.pem
-rw-r–r-- 1 root wheel 3546 May 27 11:48 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain6.pem

sudo ls -l /private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
lrwxr-xr-x 1 root wheel 47 May 27 11:48 /private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem -> …/…/archive/mobiledatabook.net/fullchain6.pem

but I remember originally mobiledatabook.net was requested from another server. Then I installed a new server and made a request for combined certificate:
./certbot-auto certonly --webroot -w /tmp/letsencrypt -d mobiledatabook.net -d www.mobiledatabook.net -d mobiledatabooks.net -d www.mobiledatabooks.net

which is I am using currently.

Because I am requesting the web service with mobiledatabooks.net or www.mobiledatabooks.net
I can simply get rid of mobiledatabook.net and www.mobiledatabook.net for now so the web service to work properly

#19

OK from this:
-rw-r–r-- 3485 Aug 4 2016 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain1.pem
-rw-r–r-- 3485 Oct 21 2016 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain2.pem
-rw-r–r-- 3485 Jan 2 09:30 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain3.pem
-rw-r–r-- 3485 Mar 18 11:45 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain4.pem
-rw-r–r-- 3546 Mar 18 12:03 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem
-rw-r–r-- 3546 May 27 11:48 /private/etc/letsencrypt/archive/mobiledatabook.net/fullchain6.pem
lrwxr-xr-x 47 May 27 11:48 /private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem -> …/…/archive/mobiledatabook.net/fullchain6.pem

We can see that
/private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
is a symbolic link to
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain6.pem
Which shows the correct cert date (“May 27”)
However, the cert being served has a creation date of (“Mar 18”), like:
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain4.pem
/private/etc/letsencrypt/archive/mobiledatabook.net/fullchain5.pem

So, your web server configuration file must be using one of those two names (fullchain4.pem or fullchain5.pem)
Instead of the correct (link):
/private/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem

Please show the SSL configuration file portion.

#21

So what I need to do?

#22

There we can update it manually to use the symlink file and it should renew from then on without problems via:

#23

SSL configuration file portion - where is that?

#24

That depends on the type of web server.
Which web server are you running?

1 Like
#25

I am running Golang server which reads the both .pem files to serve the SSL

I using a copy of:
/etc/letsencrypt/live/mobiledatabook.net/fullchain.pem
/etc/letsencrypt/live/mobiledatabook.net/privkey.pem
in different directory

What information we need?

For Apache I see sample file containing:
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

I am using:
fullchain.pem
privkey.pem