[SOLVED] Getting SEC_ERROR_EXPIRED_CERTIFICATE trying to log into my router

jeffc

So what's the problem with connecting directly? I don't understand what's expired with Acme!

Here's the cert itself. I thought of blanking out the domain, but I don't have proper software on this machine, and the router isn't externally reachable anyway.

Any thoughts on what, exactly, is expired?

![Screen Shot 2018-03-14 at 7.10.08 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-14 at 7.10.08 AM.png)
![Screen Shot 2018-03-14 at 7.10.08 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-14 at 7.10.08 AM.png_thumb)

jimp

Can't tell from there, it's just expired. First, go to System > Packages. Make sure you are on the latest version of the ACME package (0.2.4), then go to Services > ACME Certificates, certificates tab, and try to renew your certificate.

If that fails, post the error.

KOM

Any thoughts on what, exactly, is expired?

Check your browser and see what it's specifically complaining about by using your browser's tools. The time/date on your box is correct?

jimp

@KOM:

Any thoughts on what, exactly, is expired?

Check your browser and see what it's specifically complaining about by using your browser's tools. The time/date on your box is correct?

In the screenshot, his "router" cert expired on the 11th, so it's operating as expected in the browser. The problem now is figuring out why ACME didn't renew it in time.

KOM

Right. I was looking at the CA screen and seeing a date of 2021.

jeffc

Wait, I'm sorry, I still don't understand.

My certificate renewed on February 10th, 2018, and is set to expire on May 11, 2018. Based on past observation, Acme will try to renew this one month prior to expiration (around April 11th). Today is March 14th.

How is the actual certificate expired? You guys said it expired on the 11th, but it expires on May 11th, not March 11th.

Please clarify so I can understand what went wrong, thanks!

/Jeff

KOM

Now my previous advice comes in handy. Use your browser to see what it's squawking about since we don't know what's going on here.

jeffc

Hi KOM,

I did use my browser (see original post): SEC_ERROR_EXPIRED_CERTIFICATE.

But it sure isn't clear to me what it is that's expired. Let's Encrypt CA cert is fine, and mine is as well (expiring May 11th). Note that I tried to get in with three different browsers (Safari, Chrome, Firefox), and they all failed (although Safari gave lousy diagnostics of what was wrong).

I understand that Firefox/Chrome think my certificate is expired, but what exactly is expired? The browser doesn't seem to be giving me more data (unless there's some special screen to get further data, that's all I get even with the advanced button).

Thanks so much!

/Jeff

jimp

Ah, yeah, I misread that as March.

Did your GUI restart to pick up the new certificate?

Do you have a defined action to restart the GUI on renew, like the example shows?

Gertjan

Having acme generate a new certificate in time is one thing. This has been done,, I guess.
Having it used by the GUI is another. This part is ok, your GUI is still using an older certifcate - a newer should be present (renewed).
The GUI should be restarted when a new certificate was generated 'renewed' : check that that has been set up by your instructions.

edit : jimp was much faster … or I'm getting slow ...

KOM

I did use my browser (see original post): SEC_ERROR_EXPIRED_CERTIFICATE.

Sorry, I should have been more clear. I meant, use your browser's tools to examine the cert it's complaining about and see what it says. Click the error icon in the URL bar. From Site Security, click More Information. From there, click View Certificate. Anything weird on the cert? Does it also say May 2018?

jeffc

Hi Jimp,

That was it! I failed to restart the GUI after installation of the new cert. Thus, when the OLD cert expired, that was that. I modified the ACME rule to execute /etc/rc.restart_webgui after the new cert is updated.

Interestingly enough, I noted that when I went and executed /etc/rc.restart_webgui from the "Execute Command" capability, it wouldn't seem to work. But when I did it from the console, I was able to connect normally again.

I REALLY appreciate the help, thank you so much!!! You guys are awesome!

One more question: I noticed something about a new Acme API that was rolled out. Is that something I should go do? Does that work on the existing version of pfSense (2.4.2-RELEASE-p1), or would I need to install some sort of update to get that?

Thanks again guys.

Gertjan

@jeffc:

One more question: I noticed something about a new Acme API that was rolled out. Is that something I should go do? Does that work on the existing version of pfSense (2.4.2-RELEASE-p1), or would I need to install some sort of update to get that?

When a package update comes out, like 0.2.5 for acme yesterday, you should upgrade.

This newer version includes the possibility to obtain wildcard certs from Let's Encryopt - if you need them. See ACMEv2 is live!