LetsEncrypt - SSL certificate is not valid

  • i think we'll get trouble. Debian test with time in the future:


    # service ntp stop

    # date --set="2 OCT 2021 18:00:00"

    # openssl verify -CAfile fullchain14.pem -purpose sslserver cert14.pem

    O = Digital Signature Trust Co., CN = DST Root CA X3

    error 10 at 3 depth lookup: certificate has expired

    error cert14.pem: verification failed


    # service ntp start

    # openssl verify -CAfile fullchain14.pem -purpose sslserver cert14.pem

    cert14.pem: OK


    maybe


    sub validateCertificate in

    /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm


    should be disabled ?

  • i think we'll get trouble. Debian test with time in the future:


    I have tested this but I have no idea whether it is meaningful ...

    Code
    1. cd /etc/ssl/certs
    2. openssl x509 -in ISRG_Root_X1.pem -noout -text
    3. Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    4. Validity
    5. Not Before: Jun 4 11:04:38 2015 GMT
    6. Not After : Jun 4 11:04:38 2035 GMT


    maybe setting ISRG Root X1 as preferred in the plugin?

    Code
    1. --preferred-chain "ISRG Root X1"


    some more details

    https://medium.com/geekculture…3-expiration-d54a018df257

  • SSL Checker Results from:

    https://decoder.link/sslchecker


    section Certificate # 2 - Common Name: R3 shows:

    Issuer Common Name: ISRG Root X1


    and section Certificate # 3 - Common Name: ISRG Root X1 shows:

    Issuer Common Name: DST Root CA X3


    does that mean it will work or not?

  • maybe

    sub validateCertificate in

    /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm

    should be disabled ?


    maybe disable the LE cronjobs if problems occur - should avoid deleting of the apache vhost-ssl.conf files ...

    Code
    1. nano /etc/cron.d/imscp
    2. # imscp [Plugin::LetsEncrypt::pending] entry BEGIN
    3. #@hourly root /usr/bin/perl /var/www/imscp/gui/plugins/LetsEncrypt/cron/pending.pl > /dev/null 2>&1
    4. # imscp [Plugin::LetsEncrypt::pending] entry ENDING
    5. # imscp [Plugin::LetsEncrypt::renew] entry BEGIN
    6. #@daily root /usr/bin/perl /var/www/imscp/gui/plugins/LetsEncrypt/cron/renew.pl > /dev/null 2>&1
    7. # imscp [Plugin::LetsEncrypt::renew] entry ENDING

    Edited 2 times, last by fulltilt ().

  • Thu Sep 30 15:04:24 CEST 2021


    the good news is ...

    when I create a new certificate > verify result:

    Code
    1. cd /etc/letsencrypt/archive/mydomain.tld
    2. openssl verify -CAfile fullchain1.pem cert1.pem
    3. cert1.pem: OK

    however, the verify result for older certificates which are still valid > dec

    Code
    1. openssl verify -CAfile fullchain1.pem cert1.pem
    2. C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    3. error 10 at 1 depth lookup: certificate has expired
    4. CN = mydomain.tld
    5. error 10 at 0 depth lookup: certificate has expired
    6. error cert1.pem: verification failed

    these are still shown as valid in web browser but what happens when the daily letsencrypt cron job has run through tomorrow?

    are these ssl apache configs deleted and certs marked as invalid afterwards?


    I guess when old fullchain1.pem is being replaced with a new fullchain1.pem it could work ...