# Let's Encrypt: Certificate expired

**URL:** https://discourse.roots.io/t/lets-encrypt-certificate-expired/7171
**Category:** trellis
**Created:** 2016-07-11T22:16:00Z
**Posts:** 32

## Post 1 by @aisforadam — 2016-07-11T22:16:00Z

Our Let’s Encrypt certificate has expired. I thought Trellis automatically renews the certificate ([https://roots.io/trellis/docs/ssl](https://roots.io/trellis/docs/ssl))? Is there anything special we need to configure for auto refresh in the future? and is there a way to manually renew the certificate?

For reference, Trellis is installed on a Digital Ocean droplet and has been working great up to this point.

Thanks for the help!

---

## Post 2 by @cfx — 2016-07-11T22:56:40Z

Any luck if you restart nginx?

`$ sudo service nginx reload`

---

## Post 3 by @aisforadam — 2016-07-12T01:44:52Z

Unfortunately, not. I ran the command from root@, but the certificate is still expired.

---

## Post 4 by @cfx — 2016-07-12T02:04:23Z

Anything you can see in your logs about it at all? I’ve never encountered this so these are just the troubleshooting steps I would take.

Please SSH into your machine and run `$ cat /etc/cron.d/letsencrypt-certificate-renewal` and paste the output here please.

---

## Post 5 by @aisforadam — 2016-07-12T02:06:25Z

`#Ansible: letsencrypt certificate renewal 30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py`

---

## Post 6 by @aisforadam — 2016-07-12T02:17:11Z

And the error log:

`2016/07/08 02:41:31 [error] 7259#7259: ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org`

---

## Post 7 by @cfx — 2016-07-12T02:30:26Z

Looks like it timed out when it tried to run a few days ago. Try renewing it manually: `$ cd /var/lib/letsencrypt && sudo ./renew-certs.py` and paste the output here.

If it works then re-run the nginx restart cmd from above and you should be good to go after restart.

---

## Post 8 by @aisforadam — 2016-07-12T02:36:04Z

`Certificate file /etc/nginx/ssl/letsencrypt/ *****.com.cert already exists Generating certificate for*****.com Error while generating certificate for *****.com Parsing account key... Parsing CSR... Registering account... Already registered! Verifying*****.com... *****.com verified! Verifying www.*****.com... Traceback (most recent call last): File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module> main(sys.argv[1:]) File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt wellknown_path, wellknown_url)) ValueError: Wrote file to /srv/www/letsencrypt/2NzSaos9GbXUF1uhKKYoO7Cz7XWiL5uARGh4nSlb6IA, but couldn't download http://www. *****.com/.well-known/acme-challenge/2NzSaos9GbXUF1uhKKYoO7Cz7XWiL5uARGh4nSlb6IA`

---

## Post 9 by @cfx — 2016-07-12T03:04:07Z

Please do `$ sudo shutdown -r now` to power cycle your machine (if you can). Try manually updating again once it comes back online.

---

## Post 10 by @aisforadam — 2016-07-12T03:07:42Z

Unfortunately, I get the same error message when running `$ cd /var/lib/letsencrypt && sudo ./renew-certs.py` after the reboot.

---

## Post 11 by @cfx — 2016-07-12T03:20:16Z

Ok, on your dev machine in your Trellis dir please try this:

`$ ansible-playbook server.yml -e env=<YOUR_SERVER_ENV_NAME> -t letsencrypt -vvvv`

Let me know how that works out.

---

## Post 12 by @cfx — 2016-07-12T03:33:35Z

Also, have you made any changes to your DNS settings? Please make sure when you ping `yourdomain.com` and `www.yourdomain.com` they both resolve correctly.

---

## Post 13 by @aisforadam — 2016-07-12T04:00:29Z

Thanks for all the help!

The DNS settings were the issue. The ‘www’ A record went missing after the wildcard was removed. I restored the record and was able to renew the certificate.

---

## Post 14 by @cfx — 2016-07-12T04:03:36Z

Sweet, glad it’s all sorted!

---

## Post 15 by @thommeredith — 2016-10-20T18:19:30Z

I just had the same issue where my cert expired without renewing

$ cat /etc/cron.d/letsencrypt-certificate-renewal  
**30 4 1,11,21 \* \* root cd /var/lib/letsencrypt && ./renew-certs.py**

I don’t know which error logs to look into to show you anything there.

I ran this and the cert is fine now, but hope that this does not happen in 90 days again.  
**ansible-playbook server.yml -e env=production -K --tags letsencrypt**

it is now valid until 12/20

Valid From  
Wed, 21 Sep 2016 03:30:00 GMT  
Valid Until  
Tue, 20 Dec 2016 03:30:00 GMT  
Issuer  
Let’s Encrypt Authority X3  
SCTs  
0 SCTs  
Open full certificate details

---

## Post 16 by @smutek — 2016-11-27T01:40:52Z

Mine just randomly expired as well. In my case restarting nginx fixed it right up.

- Edit - Actually it appears mine is valid from 10/31/16 until 01/29/17, no idea why it stopped working there.

---

## Post 17 by @aoe — 2016-11-28T06:33:52Z

I can confirm that the new end date for certificates did not go through until nginx was restarted.  
Before that I checked the end date of the certificate with  
`openssl x509 -enddate -noout -in site.com.cert` and it was further ahead than what the browser was showing.

In the cron file for the letsencrypt-renewal the nginx service is supposed to reload so I am curious as to why it didn’t seem to work (because it obviously had renewed the certificates so the cron should be working).

---

## Post 18 by @jasperfrumau — 2016-11-29T14:20:31Z

Had the same issue with a site not renewing the certificate. Could not find errors. Did manage to renew manually. But when I searched for any cron jobs stored I could not find any either. Should there not be any added by Trellis for this?

---

## Post 19 by @cfx — 2016-11-29T15:17:25Z

Please ensure your cron job (normally at `/etc/cron.d/letsencrypt-certificate-renewal`) has the full path to `service` in its reload command ([original PR](https://github.com/roots/trellis/commit/d3d37a33382ee9dac7e2c8260d049903de8f8e96)). That was apparently my issue too—renewal was just fine but nginx never reloaded after renewal.

---

## Post 20 by @MWDelaney — 2016-11-29T20:31:04Z

I just fixed 5 deployments that had this bug. Thank god for organization search on GitHub.

---

## Post 21 by @smutek — 2016-12-08T03:10:28Z

Thank you sir! :slight_smile:

---

## Post 22 by @Erick_Amaral — 2017-03-02T17:47:38Z

I still have the problem.  
One of my certificates expires tomorrow mar/02, but my site already have the privacy error.  
I try every single solution posted in here, but still no results.

```
Certificate file /etc/nginx/ssl/letsencrypt/xxxxx.cert already exists
Generating certificate for xxxxx.xxxx
Error while generating certificate for xxxxx.xxxx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying orei.org...
Traceback (most recent call last):
  File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /srv/www/letsencrypt/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM, but couldn't download http:// xxxxx.xxxx/.well-known/acme-challenge/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM
```

Any clue?

---

## Post 23 by @MWDelaney — 2017-03-02T18:15:26Z

How recent is your Trellis version?

It might be fastest to **back up your database and uploads** and try reprovisioning your server with a fresh copy of Trellis (and all your configs, of course).

Here’s a quick overview of how I update Trellis. There are better ways but this is fast:

Copy the following out of your Trellis directory:

```
.vault_pass
ansible.cfg
/group_vars
/deploy-hooks
/hosts
/nginx-includes
```

Delete everything in your Trellis directory  
Clone Trellis from source into your Trellis directory  
Copy back in and overwrite the following:

```
.vault_pass
ansible.cfg
/group_vars/development
/group_vars/staging
/group_vars/production
/group_vars/all/mail.yml
/group_vars/all/vault.yml
/deploy-hooks
/hosts
```

Then **back up your database and uploads again!!!** and rebuild and reprovision your server.

---

## Post 24 by @Erick_Amaral — 2017-03-02T18:39:10Z

It was not me that make the installation and i never used trellis before…  
One off my problems is that the `ansible-playbook server.yml -e env=production -K --tags letsencrypt` not run cause do not find the `server.yml`. Where i run this command?

About the version, how i get this information?

And there’s no way to install a fresh copy of trellis right now

Thaks!

---

## Post 25 by @flros — 2018-08-13T15:26:06Z

Hello everyone, I got an issue.  
My SSL renewal crashed yesterday.  
I was able to do it manually today with this command which works perfectly ansible-playbook server.yml -e env=production -K --tags letsencrypt  
However, I’m still interested in the automatic renewal!  
I found out in the log that the process might have failed because of this -\> [ocsp.int-x3.letsencrypt.org](http://ocsp.int-x3.letsencrypt.org) could not be resolved (110: Operation timed out) while requesting certificate status, responder: [ocsp.int-x3.letsencrypt.org](http://ocsp.int-x3.letsencrypt.org)  
When I tried to access the folder (as root and web users) /var/lib/letsencrypt, the response was ‘Permission denied’.  
Can someone help me with this? Please ask me if you need more details.  
Thanks a lot,

---

## Post 26 by @mattia — 2020-01-21T16:19:25Z

@MWDelaney is this still a valid option to update trellis?  
i saw that it is an old post (2017) but if it is still a valid option, i will try this way because it sounds straightforward to me.  
thanks

---

## Post 27 by @joshb — 2020-01-27T20:40:42Z

I am also wondering if this is still valid. I have some rather projects from the last 6 months to a year where the LE SSL is not being auto-renewed.

---

## Post 28 by @JordanC26 — 2020-01-27T23:31:05Z

I would also like to know if the way @MWDelaney guides on trellis updating is still valid. I’d be happy to simply replace my current trellis files with a new one, just want to confirm which files are too be kept and restored.

---

## Post 29 by @swalkinshaw — 2020-01-28T03:37:30Z

If you haven’t customized any other files within Trellis (which ideally you shouldn’t) then yes that process is basically correct and the easiest way.

---

## Post 30 by @joshb — 2020-01-28T17:09:30Z

Thanks @swalkinshaw for confirming this.  
I’ll be attempting this over the weekend on a project.

---

## Post 31 by @intelligence — 2021-03-19T09:42:34Z

I stumbled upon this issue today. A client notified me that the certificate was about to expire, so I went to investigate.

Seems like I’ve already applied the fix, but that it failed to run the cron job:

```
cat /etc/cron.d/letsencrypt-certificate-renewal
#Ansible: letsencrypt certificate renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
```
  
Running it manually (as root), I had no issues:
```
cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
Certificate file /etc/nginx/ssl/letsencrypt/domain.tld-933ed6e-bundled.cert already exists
Generating certificate for domain.tld
Created certificate for domain.tld
```

Is it possible that the cron job simply is not running? How can I debug?

---

## Post 32 by @MWDelaney — 2021-03-19T17:13:06Z

Make sure you’ve reprovisioned the server since updating Trellis. That should fix the cron job, too.