Roots Discourse

Let's Encrypt: Certificate expired

Our Let’s Encrypt certificate has expired. I thought Trellis automatically renews the certificate (https://roots.io/trellis/docs/ssl)? Is there anything special we need to configure for auto refresh in the future? and is there a way to manually renew the certificate?

For reference, Trellis is installed on a Digital Ocean droplet and has been working great up to this point.

Thanks for the help!

Any luck if you restart nginx?

$ sudo service nginx reload

2 Likes

Unfortunately, not. I ran the command from root@, but the certificate is still expired.

Anything you can see in your logs about it at all? I’ve never encountered this so these are just the troubleshooting steps I would take.

Please SSH into your machine and run $ cat /etc/cron.d/letsencrypt-certificate-renewal and paste the output here please.

#Ansible: letsencrypt certificate renewal 30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py

And the error log:

2016/07/08 02:41:31 [error] 7259#7259: ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

Looks like it timed out when it tried to run a few days ago. Try renewing it manually: $ cd /var/lib/letsencrypt && sudo ./renew-certs.py and paste the output here.

If it works then re-run the nginx restart cmd from above and you should be good to go after restart.

Certificate file /etc/nginx/ssl/letsencrypt/*****.com.cert already exists Generating certificate for *****.com Error while generating certificate for *****.com Parsing account key... Parsing CSR... Registering account... Already registered! Verifying *****.com... *****.com verified! Verifying www.*****.com... Traceback (most recent call last): File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module> main(sys.argv[1:]) File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt wellknown_path, wellknown_url)) ValueError: Wrote file to /srv/www/letsencrypt/2NzSaos9GbXUF1uhKKYoO7Cz7XWiL5uARGh4nSlb6IA, but couldn't download http://www.*****.com/.well-known/acme-challenge/2NzSaos9GbXUF1uhKKYoO7Cz7XWiL5uARGh4nSlb6IA

Please do $ sudo shutdown -r now to power cycle your machine (if you can). Try manually updating again once it comes back online.

Unfortunately, I get the same error message when running $ cd /var/lib/letsencrypt && sudo ./renew-certs.py after the reboot.

Ok, on your dev machine in your Trellis dir please try this:

$ ansible-playbook server.yml -e env=<YOUR_SERVER_ENV_NAME> -t letsencrypt -vvvv

Let me know how that works out.

Also, have you made any changes to your DNS settings? Please make sure when you ping yourdomain.com and www.yourdomain.com they both resolve correctly.

1 Like

Thanks for all the help!

The DNS settings were the issue. The ‘www’ A record went missing after the wildcard was removed. I restored the record and was able to renew the certificate.

Sweet, glad it’s all sorted!

I just had the same issue where my cert expired without renewing

$ cat /etc/cron.d/letsencrypt-certificate-renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py

I don’t know which error logs to look into to show you anything there.

I ran this and the cert is fine now, but hope that this does not happen in 90 days again.
ansible-playbook server.yml -e env=production -K --tags letsencrypt

it is now valid until 12/20

Valid From
Wed, 21 Sep 2016 03:30:00 GMT
Valid Until
Tue, 20 Dec 2016 03:30:00 GMT
Issuer
Let’s Encrypt Authority X3
SCTs
0 SCTs
Open full certificate details

1 Like

Mine just randomly expired as well. In my case restarting nginx fixed it right up.

  • Edit - Actually it appears mine is valid from 10/31/16 until 01/29/17, no idea why it stopped working there.

I can confirm that the new end date for certificates did not go through until nginx was restarted.
Before that I checked the end date of the certificate with
openssl x509 -enddate -noout -in site.com.cert and it was further ahead than what the browser was showing.

In the cron file for the letsencrypt-renewal the nginx service is supposed to reload so I am curious as to why it didn’t seem to work (because it obviously had renewed the certificates so the cron should be working).

Had the same issue with a site not renewing the certificate. Could not find errors. Did manage to renew manually. But when I searched for any cron jobs stored I could not find any either. Should there not be any added by Trellis for this?

Please ensure your cron job (normally at /etc/cron.d/letsencrypt-certificate-renewal) has the full path to service in its reload command (original PR). That was apparently my issue too—renewal was just fine but nginx never reloaded after renewal.

7 Likes

I just fixed 5 deployments that had this bug. Thank god for organization search on GitHub.

1 Like