[Solved] Let's Encrypt properly renewed and installed... but not "seen" by the rest of the internet, still expired?!?

3 posts / 0 new
Last post
#1 Mon, 03/11/2019 - 03:31
OliverF

[Solved] Let's Encrypt properly renewed and installed... but not "seen" by the rest of the internet, still expired?!?

(Final EDIT: in this present case, the key was that Apache was prevented from restarting by a third-party issue; fix that issue, allow Apache to restart, and all's good)

Hello,

A serious problem: virtualmin tells it manages to renew Let's Encrypt certificates, however while it appears good on the virtualmin side, those renewed certificates aren't "seen" by the rest of the internet. For the rest of the internet, we're still with an expired certificate; the new certificate isn't seen O_o

*

I have that for 2 websites that had Let's Encrypt expire, olivertest.net and gogovertigo.com I'll give the example for one of them.

I added Let's Encrypt to the olivertest.net domain (my sandbox where I test stuff) a few months ago, with Virtualmin, didn't notice it expired 3 days ago, and renewed it yesterday evening. But when I wanted to test something in SSL for the first time, I found out the website doesn't load anything in SSL, with the error message the certificate has expired. So, I renewed it again in virtualmin just 20 minutes ago. Once again, same deal, the certificate renewal isn't witnessed by the rest of the internet.

It's as if something fails to tell "hey, I'm the new certificate, I'm still good".

I'm totally at a loss at the moment, may I humbly ask for help or opinions? Please? :)

*

More details:

The certificate installation result in virtualmin says all's good:

Requesting a certificate for olivertest.net, www.olivertest.net, autoconfig.olivertest.net from Let's Encrypt ..
.. request was successful!
Configuring webserver to use new certificate and key ..
.. done
Applying web server configuration ..
.. done

Screenshot of the SSL Certificate tab in Virtualmin, no error status: http://olivertest.net/stable/olivertestletsencrypt1.jpg http://olivertest.net/stable/olivertestletsencrypt2.jpg

But... SSL tests say otherwise: https://www.sslshopper.com/ssl-checker.html#hostname=olivertest.net ("This certificate has expired (3 days ago). Renew now." ) Microsoft Edge agrees: "DLG_FLAGS_SEC_CERT_DATE_INVALID" Firefox too: SEC_ERROR_EXPIRED_CERTIFICATE, and it goes to say the certificate expired 3 days ago

The website is NOT behind cloudflare or any CDN, directly plugged onto the internet from my Debian dedi.

I tried requesting a new Letsencrypt certificate, I also tried simply renewing it, both without any change in the results, not working in SSL, expired.

*

Super duper quick EDIT: I'm mentioning it just in case, maybe, just maybe, there might be a relation, ATM my server can't restart Apache for unrelated reasons. So - once again: maybe - if Virtualmin needs to restart Apache for the certificate renewal to be taken into account, this might be a cause.

*

And at this point, this it it, I'm totally lost :(

Please, would someone know what might be wrong?

Mon, 03/11/2019 - 06:40
Welshman
Welshman's picture

I had this once, it came right. Never understood why. Cache maybe?? Just no logs on it to work with.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Tue, 03/12/2019 - 05:29
OliverF

Allright, case closed :)

The key problem was that Apache wasn't allowed to restart, for reasons unrelated to the present Lets's Encrypt problem. Once I fixed that problem and Apache could sucessfully restart, the letsencrypt new certificates were instantly recognized by the rest of the internet.

In you ever have a similar problem, it won't harm to test it yourselves.
service apache2 status (see if all's OK so far)
service apache2 restart (see if it's able to restart at all, if there's a problem the server will refuse to initiate the restarting at all, so your sites shouldn't be at risk of ending up offline, and you'll know this is why the new letsencrypt isn't taken into account)