Unclear if cert was actually renewed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jimtellier.com
I ran this command:
certbot certificates
It produced this output:
(the .log file): 2024-10-03 13:41:47,636:DEBUG:certbot._internal.main:certbot version: 2.5.0
2024-10-03 13:41:47,636:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files\Certbot\bin\certbot.exe
2024-10-03 13:41:47,636:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2024-10-03 13:41:47,636:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-10-03 13:41:47,698:DEBUG:certbot._internal.log:Root logging level set at 30
2024-10-03 13:41:47,808:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e5.o.lencr.org:80
2024-10-03 13:41:47,995:DEBUG:urllib3.connectionpool:http://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2024-10-03 13:41:47,995:DEBUG:certbot.ocsp:OCSP response for certificate C:\Certbot\live\jimtellier.com-0001\cert.pem is signed by the certificate's issuer.
2024-10-03 13:41:48,011:DEBUG:certbot.ocsp:OCSP certificate status for C:\Certbot\live\jimtellier.com-0001\cert.pem is: OCSPCertStatus.GOOD
2024-10-03 13:41:48,026:DEBUG:certbot._internal.display.obj:Notifying user: Found the following certs:
Certificate Name: jimtellier.com-0001
Serial Number: 4c6a1194187702d6b3b6db5b240b9cab921
Key Type: ECDSA
Domains: jimtellier.com
Expiry Date: 2024-12-19 20:05:19+00:00 (VALID: 77 days)
Certificate Path: C:\Certbot\live\jimtellier.com-0001\fullchain.pem
Private Key Path: C:\Certbot\live\jimtellier.com-0001\privkey.pem
Certificate Name: jimtellier.com
Serial Number: 377f355480d987bab2d6808b9379ff6e466
Key Type: ECDSA
Domains: jimtellier.com www.jimtellier.com
Expiry Date: 2024-01-13 16:54:06+00:00 (INVALID: EXPIRED)
Certificate Path: C:\Certbot\live\jimtellier.com\fullchain.pem
Private Key Path: C:\Certbot\live\jimtellier.com\privkey.pem

My web server is (include version):
IIS 10.0.19041.1
The operating system my web server runs on is (include version):
Windows 10 Pro 22H2
My hosting provider, if applicable, is:
self
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.5.0

2

So, if I understand correctly, the previous cert Name was simply that of my domain, jimtellier.com. This log reports that old cert has expired, and the newest valid cert is jimtellier.com-0001. My DNS changed at approximately the same time as the cert expired, so I jumped thru some hoops to (I thought!) get all this sorted out. However, some users of my site report seeing "invalid certificate" errors and "security warnings". A couple of those were resolved by having them purge cache entries. But my one question is: should I do something (e.g. rename?) the .pem files related to the ...-0001 cert? Purge the old files? I don't feel confident that things are 100% correctly set up. TIA for any assist!

4

Yes; Several things.

  1. reissue the cert with the www [presuming that someone will inevitably type it in]
  2. delete any unused certs
  3. replace certbot for Windows with another client [like: CertifyTheWeb]

No; You should never tinker with anything within the C:\Certbot\ folder.
image

I agree with you 100%.

8 Likes
5

OK, thanks for the info; should there be a separate cert for www. and just ? And could you elaborate on why not using certbot for windows? IIRC, that was recommended here; I may be mistaken. Does the CertifyTheWeb supercede Certbot, or it it just a better alternative? TIA for you quick help!

1 Like
6

The EFF develops Certbot (not ISRG who does Let's Encrypt). EFF dropped support for Certbot on Windows this past Feb.

Certbot was never the best ACME Client on Windows although certain cases it worked okay. Certify the Web and others were designed for Windows. Certify being easiest but win-acme and posh-acme also have their place. See: ACME Client Implementations - Let's Encrypt

You used to have a cert with both your apex and www subdomains in it. But, the -0001 only has your apex. I'm not sure how you got in the state you did. Normally running Certbot renew just updates your existing certs. To get a -0001 means you must have tried to issue a new one. Without knowing exactly what you did it is hard to say how to proceed.

It seems a good time to migrate away from Certbot rather than repairing a mixed-up config.

Certify is extremely well-integrated with IIS especially and is a nice gui. It would probably be very easy to migrate to.

6 Likes
7

thanks for your help with this! I got CertifyTheWeb as suggested, and was finally able to get a working certificate setup!
Jim

3 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.