Wildcard generate expired cert


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: catcat.io

I ran this command:

sudo ./certbot-auto --os-packages-only
./tools/venv.sh
source venv/bin/activate

sudo ./certbot-auto -d catcat.io -d *.catcat.io --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/catcat.io/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/catcat.io/privkey.pem
    Your cert will expire on 2018-07-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

My web server is (include version): Ubuntu 16.04.3 LTS

The operating system my web server runs on is (include version): nginx 1.10.3

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

TLDR : I execute command today 2018-07-10 but certbot provide 2018-07-08 (expired one), I expect next 3 months cert which it should be 2018-10-10 ?


#2

What does “ls -alR /etc/letsencrypt/{archive,live}/” show?

Edit:

To add to that, Let’s Encrypt did issue a certificate:

https://transparencyreport.google.com/https/certificates/hjgoJjQId42PLi%2FTRVeR27jopa9xeAnFQya%2FR4mX9Ds%3D

It sounds like /etc/letsencrypt/ is damaged.

Did you know there was another certificate issued on June 8?

https://transparencyreport.google.com/https/certificates/l679va8DrgwxPPpuJEcULXjcy5ly5Iruc%2FqaH7uMVWc%3D

Also, what does “sudo ./certbot-auto certificates” show?


#3

root@catcat:~# ls -alR /etc/letsencrypt/{archive,live}/
/etc/letsencrypt/archive/:
total 20
drw------- 5 root root 4096 Apr 9 10:22 .
drwxr-xr-x 9 root root 4096 Jul 10 12:46 …
drw------- 2 root root 4096 Jun 8 17:14 catcat.io
drwxr-xr-x 2 root root 4096 Apr 9 10:22 catcat.io-0001
drw------- 2 root root 4096 Mar 7 10:39 wallet.catcat.io
/etc/letsencrypt/archive/catcat.io:
total 40
drw------- 2 root root 4096 Jun 8 17:14 .
drw------- 5 root root 4096 Apr 9 10:22 …
-rw------- 1 root root 1801 Mar 5 13:13 cert1.pem
-rw-r–r-- 1 root root 2155 Jul 10 09:29 cert2.pem
-rw------- 1 root root 1647 Mar 5 13:13 chain1.pem
-rw-r–r-- 1 root root 1647 Jul 10 09:29 chain2.pem
-rw------- 1 root root 3448 Mar 5 13:13 fullchain1.pem
-rw-r–r-- 1 root root 3802 Jul 10 09:29 fullchain2.pem
-rw------- 1 root root 1704 Mar 5 13:13 privkey1.pem
-rw-r–r-- 1 root root 1704 Jul 10 09:29 privkey2.pem
/etc/letsencrypt/archive/catcat.io-0001:
total 24
drwxr-xr-x 2 root root 4096 Apr 9 10:22 .
drw------- 5 root root 4096 Apr 9 10:22 …
-rw-r–r-- 1 root root 2155 Apr 9 10:22 cert1.pem
-rw-r–r-- 1 root root 1647 Apr 9 10:22 chain1.pem
-rw-r–r-- 1 root root 3802 Apr 9 10:22 fullchain1.pem
-rw-r–r-- 1 root root 1704 Apr 9 10:22 privkey1.pem
/etc/letsencrypt/archive/wallet.catcat.io:
total 24
drw------- 2 root root 4096 Mar 7 10:39 .
drw------- 5 root root 4096 Apr 9 10:22 …
-rw------- 1 root root 1797 Mar 7 10:39 cert1.pem
-rw------- 1 root root 1647 Mar 7 10:39 chain1.pem
-rw------- 1 root root 3444 Mar 7 10:39 fullchain1.pem
-rw------- 1 root root 1704 Mar 7 10:39 privkey1.pem
/etc/letsencrypt/live/:
total 20
drwx------ 5 root root 4096 Apr 9 10:43 .
drwxr-xr-x 9 root root 4096 Jul 10 12:46 …
drwxr-xr-x 2 root root 4096 Jul 10 09:29 catcat.io
drwxr-xr-x 2 root root 4096 Mar 5 13:13 catcat.io.backup
drwxr-xr-x 2 root root 4096 Mar 7 10:39 wallet.catcat.io
/etc/letsencrypt/live/catcat.io:
total 12
drwxr-xr-x 2 root root 4096 Jul 10 09:29 .
drwx------ 5 root root 4096 Apr 9 10:43 …
-rw-r–r-- 1 root root 543 Apr 9 10:22 README
lrwxrwxrwx 1 root root 38 Jul 10 09:29 cert.pem -> …/…/archive/catcat.io-0001/cert1.pem
lrwxrwxrwx 1 root root 39 Jul 10 09:29 chain.pem -> …/…/archive/catcat.io-0001/chain1.pem
lrwxrwxrwx 1 root root 43 Jul 10 09:29 fullchain.pem -> …/…/archive/catcat.io-0001/fullchain1.pem
lrwxrwxrwx 1 root root 41 Jul 10 09:29 privkey.pem -> …/…/archive/catcat.io-0001/privkey1.pem
/etc/letsencrypt/live/catcat.io.backup:
total 12
drwxr-xr-x 2 root root 4096 Mar 5 13:13 .
drwx------ 5 root root 4096 Apr 9 10:43 …
-rw-r–r-- 1 root root 543 Mar 5 13:13 README
lrwxrwxrwx 1 root root 33 Mar 5 13:13 cert.pem -> …/…/archive/catcat.io/cert1.pem
lrwxrwxrwx 1 root root 34 Mar 5 13:13 chain.pem -> …/…/archive/catcat.io/chain1.pem
lrwxrwxrwx 1 root root 38 Mar 5 13:13 fullchain.pem -> …/…/archive/catcat.io/fullchain1.pem
lrwxrwxrwx 1 root root 36 Mar 5 13:13 privkey.pem -> …/…/archive/catcat.io/privkey1.pem
/etc/letsencrypt/live/wallet.catcat.io:
total 12
drwxr-xr-x 2 root root 4096 Mar 7 10:39 .
drwx------ 5 root root 4096 Apr 9 10:43 …
-rw-r–r-- 1 root root 543 Mar 7 10:39 README
lrwxrwxrwx 1 root root 40 Mar 7 10:39 cert.pem -> …/…/archive/wallet.catcat.io/cert1.pem
lrwxrwxrwx 1 root root 41 Mar 7 10:39 chain.pem -> …/…/archive/wallet.catcat.io/chain1.pem
lrwxrwxrwx 1 root root 45 Mar 7 10:39 fullchain.pem -> …/…/archive/wallet.catcat.io/fullchain1.pem
lrwxrwxrwx 1 root root 43 Mar 7 10:39 privkey.pem -> …/…/archive/wallet.catcat.io/privkey1.pem

And

root@catcat:~/certbot# source venv/bin/activate
(venv) root@catcat:~/certbot#  sudo ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: catcat.io
    Domains: catcat.io *.catcat.io
    Expiry Date: 2018-07-08 09:22:03+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/catcat.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/catcat.io/privkey.pem
-------------------------------------------------------------------------------

Thanks


#4

As @mnordhoff predicted,

In particular, Certbot makes many assumptions about the names and relationships of the items within /etc/letsencrypt. Renaming them can cause errors.

Can we see the contents of each file in /etc/letsencrypt/renewal as well? That might suggest how this configuration could be cleaned up.

It might be possible to move /etc/letsencrypt/live/catcat.io to /etc/letsencrypt/live/catcat.io-0001and/etc/letsencrypt/live/catcat.io.backupto/etc/letsencrypt/live/catcat.io, but I wouldn't recommend doing that before looking at the/etc/letsencrypt/renewal` files to make sure that their file references are consistent with this.


#5

I think that’s because I manually renamed it, I (wrong) assume that catcat.io-0001 is a junk from process old certificates before wildcard released and it didn’t synlink properly at that time so I decide to manually rename it.

I currently wipe out /etc/letsencrypt/ and re issue again and it seem to work now.

Thanks


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.