SOLVED Expired Certificate

[gorrunyo]

Hi,

I have a problem with my certificate.
I'm using TrueNAS-SCALE-22.02.4, and I have several services installed through TrueCharts (Nextcloud, Plex, Gitea, etc), all running through Traefik.
Everything was working until last week. Then I get an "Expired Certificate" warning whenever I access any of these services through the browser.

If I download the certificate from TrueNAS SCALE GUI (obtained through Cloudflare, following the TrueCharts tutorial) and compare it against the certificate the browser shows, I see they have different serial numbers, expiration dates, etc.

In essence, the certificate in the TrueNAS SCALE and the one the browser gets are different.

I would appreciate some pointers on how to debug this issue.

Thanks

 

[sretalla]

Have you checked which certificate Traefik is set to serve for those apps?

 

[gorrunyo]

I assume it uses the one specified in the application configuration, which is the one I got from Cloudflare.

I’m not sure if it can be verified in the Traefik GUI. I couldn’t find it.

 

[danb35]

A few things come to mind:

• Check which cert each of those apps is actually serving--on the page with the certificate error, there's a link, button, or some other way to view the cert. Make sure it's the right one.
• If you're using the TrueCharts apps (which, AFAIK, are the only ones that let you configure Ingress), the cert is set per-app. Check the app configuration to make sure it's using the right cert.
• Check crt.sh to see if your certs are being renewed properly--you should see new certs about every 60 days.

 

[gorrunyo]

Thanks for the suggestions:

• Check which cert each of those apps is actually serving
  They are all getting the same certificate with this serial number
  Serial number: 03 20 1A AD F4 C5 45 1C 9B BE 7D 5C 65 25 E3 B9 CB 2C
• The application certificate in the application configurations all point to the certificate listed in the Credentials/Certificates list in the TrueNAS SCALE GUI.
  The Serial number of that certificate is different to the one the Browser shows:
  03 1F B7 EE B2 29 75 4C 1B 5B 95 F9 16 4A 1D 2D 5B 43. It expires on Feb 28, 2023 so, it should work.
• There are multiple entries for the domain certificate. The latest entries are (Nov 10, Dec 1, Dec 12).
  The one with the serial number 03 1F B7 EE B2 29 75 4C 1B 5B 95 F9 16 4A 1D 2D 5B 43 is not the most recent though.

I don't really know What to make out of it (head scratcher).

At some point I though that perhaps CloudFlare was providing some other certificate as the domain was initially proxied but I removed all the proxy for the servers and the domain and the problem persists.

 

[gorrunyo]

Solved by a totally unrelated action:

After updating the applications to the latest version, without any other configuration change

Now the right certificate is used.

Thanks for the responses.

 

[Daisuke]

Can you please mark this thread as solved?