Why am I not yet due for renewal - yet it's expired?

Hello friends,

I am trying to figure out how to renew my ssl certificate on my site. I am experiencing what I think was a similar problem I had before, but not sure how I solved it. I have my website, "mathtutortime.com" I think if you search it, it will say that this site is secure, which is the experience I have. However, when I am doing further stuff on another node, my ssl certificate for that expired a few days ago. This is located at: https://www.mathtutortime.com:3001/requestwhiteboard.

I know this expired only a few days ago because I got a message it would expire. However, this issue I am facing is that if I run sudo certbot renew, it tells me: the following certs are not due for renewal yet: /etc/letsencrypt/live/mathtutortime.com/fullchain.pem expires on 2021-04-10 (skipped). No renewals are attempted. I'm guessing that's the certificate for my main site, but not for the port 3001 that recently expired soon. How can I find this other one, and then possibly do it so it's one certificate for both?

Thanks.

2 Likes

How is the port 3001 webserver configured? Was it reloaded after the renewal, if it's using the files from the /live/ directory?

Also, I'm seeing a few overlapping certificates when looking at https://crt.sh/?q=mathtutortime.com&deduplicate=y

The most recent certificate from January 11th is probably a renewal from the certificate issued on November 13th, as that's exactly 60 days apart. However, the certificate currently in use on your port 3001 was issued on November 24th and expired on February 22th recently, but was not renewed at all.

So I'm wondering: how many certificates do you have when you execute certbot certificates? Which certificates are actually in use? Which aren't, are superfluous and could be removed?

2 Likes

I didn't know it was this location until just recently, when I did reload that server... It's over a nodejs server that I reloaded a few minutes ago.

I'm also seeing when I run certbot certificates I have two certificates, which I remember now is what I think I was aiming for because I wanted it to be secure when they go to www.mathtutortime.com and mathtutortime.com (the two certificates) Even though I am seeing after I put on my server that it automatically forwards to the www. version, so I think I can technically get rid of the non-www now.

These two certificates seem to be the one on my main site that I mentioned before because it says it expires on 2021-04-10. So I'm wondering if I need to look in another location? Like is it possible running certbot in different locations does something different? I'm curious where that other one that expired is.

2 Likes

Please paste the output of the command here, so we can look at it. (It would help if you put them between three backticks (```) on a single line above and below the output for proper formatting.)

Also, the question still stands: how did you configure your port 3001 webserver, i.e., Node.js?

Did you run certbot on different locations?

2 Likes

Sure, thank you. Sorry, it's two domains and one certificate is what I should have said:

 root@raspberrypi:/etc/letsencrypt/live/mathtutortime.com# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

Certificate Name: : mathtutortime.com

Domains: mathtutortime.com www.mathtutortime.com

Expiry Date: 2021-04-10 23:06:25+00:00 (VALID: 44 days)

Certificate Path: /etc/letsencrypt/live/mathtutortime.com/fullchain.pem

Private Key Path: /etc/letsencrypt/live/mathtutortime.com/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I can't remember all the specifics of how I configured the server on nodejs, but I know that I got a certificate and pasted in the directory. If I remember right, the reason I did this is because my node server wasn't accepting the original location that it was in.

Here are my options in my node file:

var options = {
 key: fs.readFileSync(path.resolve('./privkey.pem')),
 cert: fs.readFileSync('/var/www/html/cert.pem'),
  requestCert: false,
  credentials: true,
  reconnect: true,
  secure: true,
  rejectUnauthorized: false,
  upgrade: false,
  transports: ['websocket']
};

2 Likes

Where do those Facebook links come from? That's not from the certbot output!

It looks like your Node.js configuration uses copied files from the /live/ directory. You should point those configuration directives to the actual pem files in the /live/ directory, if possible.

If that isn't possible, for example, if your Node.js server runs on a different location, you could write a script which can (securely!) distribute the files from the /live/ directory to a location used by Node.js which would be called from certbot when a certificate has been renewed.

It's logical that manually copied certificate and key files aren't magically updated when the cert is renewed.

2 Likes

Ok, so I did that and tried to restart my node server. Now I am getting that the server won't start because permission is denied for access. I agree that I should probably be leading it straight there. One sec, let me see if I can chown or chmod this...

2 Likes

That seems good for a couple of weeks before needing to be renewed.

3 Likes

Yea, this was the issue. I was able to get my server to run by doing sudo when running my server. I probably want to fix this so I don't need to do that, something linux related. But that was the culprit. It wasn't updating because it was pointing to a non-updated file in my node server, rather than actual lets encrypt. @Osiris - Thanks a lot.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.