Roots Discourse

Let's Encrypt: Certificate expired

Our Let’s Encrypt certificate has expired. I thought Trellis automatically renews the certificate ( Is there anything special we need to configure for auto refresh in the future? and is there a way to manually renew the certificate?

For reference, Trellis is installed on a Digital Ocean droplet and has been working great up to this point.

Thanks for the help!

Any luck if you restart nginx?

$ sudo service nginx reload


Unfortunately, not. I ran the command from root@, but the certificate is still expired.

Anything you can see in your logs about it at all? I’ve never encountered this so these are just the troubleshooting steps I would take.

Please SSH into your machine and run $ cat /etc/cron.d/letsencrypt-certificate-renewal and paste the output here please.

#Ansible: letsencrypt certificate renewal 30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./

And the error log:

2016/07/08 02:41:31 [error] 7259#7259: could not be resolved (110: Operation timed out) while requesting certificate status, responder:

Looks like it timed out when it tried to run a few days ago. Try renewing it manually: $ cd /var/lib/letsencrypt && sudo ./ and paste the output here.

If it works then re-run the nginx restart cmd from above and you should be good to go after restart.

Certificate file /etc/nginx/ssl/letsencrypt/*****.com.cert already exists Generating certificate for *****.com Error while generating certificate for *****.com Parsing account key... Parsing CSR... Registering account... Already registered! Verifying *****.com... *****.com verified! Verifying www.*****.com... Traceback (most recent call last): File "/usr/local/letsencrypt/", line 198, in <module> main(sys.argv[1:]) File "/usr/local/letsencrypt/", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, File "/usr/local/letsencrypt/", line 123, in get_crt wellknown_path, wellknown_url)) ValueError: Wrote file to /srv/www/letsencrypt/2NzSaos9GbXUF1uhKKYoO7Cz7XWiL5uARGh4nSlb6IA, but couldn't download http://www.*****.com/.well-known/acme-challenge/2NzSaos9GbXUF1uhKKYoO7Cz7XWiL5uARGh4nSlb6IA

Please do $ sudo shutdown -r now to power cycle your machine (if you can). Try manually updating again once it comes back online.

Unfortunately, I get the same error message when running $ cd /var/lib/letsencrypt && sudo ./ after the reboot.

Ok, on your dev machine in your Trellis dir please try this:

$ ansible-playbook server.yml -e env=<YOUR_SERVER_ENV_NAME> -t letsencrypt -vvvv

Let me know how that works out.

Also, have you made any changes to your DNS settings? Please make sure when you ping and they both resolve correctly.

1 Like

Thanks for all the help!

The DNS settings were the issue. The ‘www’ A record went missing after the wildcard was removed. I restored the record and was able to renew the certificate.

Sweet, glad it’s all sorted!

I just had the same issue where my cert expired without renewing

$ cat /etc/cron.d/letsencrypt-certificate-renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./

I don’t know which error logs to look into to show you anything there.

I ran this and the cert is fine now, but hope that this does not happen in 90 days again.
ansible-playbook server.yml -e env=production -K --tags letsencrypt

it is now valid until 12/20

Valid From
Wed, 21 Sep 2016 03:30:00 GMT
Valid Until
Tue, 20 Dec 2016 03:30:00 GMT
Let’s Encrypt Authority X3
0 SCTs
Open full certificate details

1 Like

Mine just randomly expired as well. In my case restarting nginx fixed it right up.

  • Edit - Actually it appears mine is valid from 10/31/16 until 01/29/17, no idea why it stopped working there.

I can confirm that the new end date for certificates did not go through until nginx was restarted.
Before that I checked the end date of the certificate with
openssl x509 -enddate -noout -in and it was further ahead than what the browser was showing.

In the cron file for the letsencrypt-renewal the nginx service is supposed to reload so I am curious as to why it didn’t seem to work (because it obviously had renewed the certificates so the cron should be working).

Had the same issue with a site not renewing the certificate. Could not find errors. Did manage to renew manually. But when I searched for any cron jobs stored I could not find any either. Should there not be any added by Trellis for this?

Please ensure your cron job (normally at /etc/cron.d/letsencrypt-certificate-renewal) has the full path to service in its reload command (original PR). That was apparently my issue too—renewal was just fine but nginx never reloaded after renewal.


I just fixed 5 deployments that had this bug. Thank god for organization search on GitHub.

1 Like