LetsEncrypt says current set is no longer valid

Support
#1

Background: last night I was informed that a certificate on one of my hosted domains was out of date. This morning I checked: the site looked OK with a valid certificate but the certificate was dated (earlier) today, which I thought a bit suspicious.

I ran sympl-ssl -v and for every domain I was getting error messages saying the current set was no longer valid. This resulted in fetching a new certificate, with the knock-on effect that LetsEncrypt started sending back “too many certificates issued” refusals.

Here’s a sample of the offending output, which does not make sense to me:

Current SSL set 19: signed by /C=US/O=Let's Encrypt/CN=R3, expires 2022-03-11 05:42:33 UTC
	The current set is no longer valid for this domain.
	The latest available certificate expires in 22 days.

How is the current set invalid if it expires next March?
What is the “22 days” figure about?
sets/19/ has 4 files dated 06:42 this morning.

Sympl continues by attempting to fetch a certificate:

	Fetching a new certificate from LetsEncrypt.
	Requesting verification for baccapipes.org.uk from https://acme-v02.api.letsencrypt.org/directory
	Successfully verified baccapipes.org.uk
	Requesting verification for www.baccapipes.org.uk from https://acme-v02.api.letsencrypt.org/directory
	Successfully verified www.baccapipes.org.uk
	!! Failed: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: baccapipes.org.uk,www.baccapipes.org.uk: see https://letsencrypt.org/docs/rate-limits/

Environment

  • Sympl Version : 11
  • Sympl Testing Version? No
  • Debian Version : Bullseye
  • Hardware Type? Virtual
  • Hosted On? Bitfolk
#2

Can you confirm the version of sympl-ssl you have installed?

This sounds like the bug caused by the expiry of the old Let’s Encrypt root certificate, and the way OpenSSL in Ruby handles the now invalid cross signed cert in the bundle, however that was fixed by removing the extra certificate.

#3

It seems to be part of sympl-core, which is ver 11.20211003.0

#4

Ah, found the problem now - the extra intermediate cert has changed, and it’s no longer being correctly detected.

I should have a fix for this very soon.

Edit: Actually, no, it’s not what I thought initially, and it should be fine…

#5

I have a similar, but possibly related issue. A number (more than a dozen) domains had certificates due to expire in only a week. This seems odd, so I ran sudo sympl-ssl --verbose and although it reported expiry in only seven days, it didn’t try to renew them.

I ran sudo sympl-ssl --force --verbose and it did renew every single certificate (took a while!) but it was odd that each certificate did get a “no longer valid” message for each domain (even though all had valid certificates).

What is stopping it from autorenewing in the way it used to?

#6

Paul has released an update to sympl-core which includes a new version of sympl-ssl. If you haven’t done so yet, do an apt-update and apt-upgrade. New version of sympl-core is 11.20211213.2 for Debian/Sympl 11.

I can’t tell whether that will fix your issue, but the symptoms look similar. My certificate updates are certainly behaving better now.

#7

I had done an update just before. My suspicion is that a recent update might have caused the problem, because it had only been around for a week or two. Other domains had been renewing until then.

Now I’ve force updated them all, none should need updating for a while so I’ll not know if autoupdating is working