SEC_ERROR_EXPIRED_CERTIFICATE

Discussion in 'Installation/Configuration' started by Poliman, Oct 23, 2017.

  1. Poliman

    Poliman Member

    I have ISPconfig 3.1.5 under Ubuntu 16.04. I put domain for this panel lets say s1.example.net and configure LE under ISP for this domain. Until 23.10.2017 11:01 all work well - error gives message that some certificate lost significance on the date/time above. Now I can't access ISP panel. On firefox I have error SEC_ERROR_EXPIRED_CERTIFICATE (in Chrome I have NET::ERR_CERT_DATE_INVALID) and I can't add exception due to HSTS. How can I resolve the issue? I changed only one thing today on the server -> dpkg-reconfigure locales and I added one more locale (default was en_US UTF8, added pl_PL UTF8) and set it as default. Other domains/websites configured under ISP with LetsEncrypt SSL work perfect. I can paste some lines from vhost file of s1.example.net domain if needed.
     
  2. HSorgYves

    HSorgYves Active Member

    In Firefox you can bypass certificate errors, log into your ISPConfig and recreate the LE certificate
     
  3. Poliman

    Poliman Member

    I can't log into ISP, because of HSTS. Each web browser block the panel. Second thing that all websites created by ISP which have LE SSL have auto renew certificates. In this same way was created domain for ISP but in this case LE SSL expired. I don't know why and I don't know how resolve the issue.

    PS
    I can put domain vhost used by ISP but it's default, ispconfig vhost file is also default. In /etc/letsencrypt/live directory I have s1.example.net and s1.example.net-0001 directories. What's that? Alias domain created by ISP has also domain.com and domain.com-0001 directories but all other domains have only one directory which names like the domain name.

    About cert files:
    Code:
    [email protected]:/etc/letsencrypt/live/s1.example.net-0001# ls -l
    total 0
    lrwxrwxrwx 1 root root 43 Sep 26 05:00 cert.pem -> ../../archive/s1.example.net-0001/cert2.pem
    lrwxrwxrwx 1 root root 44 Sep 26 05:00 chain.pem -> ../../archive/s1.example.net-0001/chain2.pem
    lrwxrwxrwx 1 root root 48 Sep 26 05:00 fullchain.pem -> ../../archive/s1.example.net-0001/fullchain2.pem
    lrwxrwxrwx 1 root root 46 Sep 26 05:00 privkey.pem -> ../../archive/s1.example.net-0001/privkey2.pem
    and for directory without "-0001":
    Code:
    [email protected]:/etc/letsencrypt/live/s1.example.net# ls -l
    total 0
    lrwxrwxrwx 1 root root 38 Jul 25 12:01 cert.pem -> ../../archive/s1.example.net/cert2.pem
    lrwxrwxrwx 1 root root 39 Jul 25 12:01 chain.pem -> ../../archive/s1.example.net/chain2.pem
    lrwxrwxrwx 1 root root 43 Jul 25 12:01 fullchain.pem -> ../../archive/s1.example.net/fullchain2.pem
    lrwxrwxrwx 1 root root 41 Jul 25 12:01 privkey.pem -> ../../archive/s1.example.net/privkey2.pem
    As you can see above, certificates are renewed but in directory with "-0001". This is the problem that certs after renew are not in default domain directory.
    I used ahrasis's tutorial https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
    I have found https://community.letsencrypt.org/t...m-a-domain-tld-multidomain-certificate/8135/2 where guy sahsanu says about "--expand" switch which allow create certificate inside the same dir without adding suffix "-0001". But I still can't understand why all other domains work good with LE.
     
    Last edited: Oct 24, 2017

Share This Page