Let's Encrypt: Certificate expired

Thanks for all the help!

The DNS settings were the issue. The ‘www’ A record went missing after the wildcard was removed. I restored the record and was able to renew the certificate.

Sweet, glad it’s all sorted!

I just had the same issue where my cert expired without renewing

$ cat /etc/cron.d/letsencrypt-certificate-renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py

I don’t know which error logs to look into to show you anything there.

I ran this and the cert is fine now, but hope that this does not happen in 90 days again.
ansible-playbook server.yml -e env=production -K --tags letsencrypt

it is now valid until 12/20

Valid From
Wed, 21 Sep 2016 03:30:00 GMT
Valid Until
Tue, 20 Dec 2016 03:30:00 GMT
Issuer
Let’s Encrypt Authority X3
SCTs
0 SCTs
Open full certificate details

1 Like

Mine just randomly expired as well. In my case restarting nginx fixed it right up.

  • Edit - Actually it appears mine is valid from 10/31/16 until 01/29/17, no idea why it stopped working there.

I can confirm that the new end date for certificates did not go through until nginx was restarted.
Before that I checked the end date of the certificate with
openssl x509 -enddate -noout -in site.com.cert and it was further ahead than what the browser was showing.

In the cron file for the letsencrypt-renewal the nginx service is supposed to reload so I am curious as to why it didn’t seem to work (because it obviously had renewed the certificates so the cron should be working).

Had the same issue with a site not renewing the certificate. Could not find errors. Did manage to renew manually. But when I searched for any cron jobs stored I could not find any either. Should there not be any added by Trellis for this?

Please ensure your cron job (normally at /etc/cron.d/letsencrypt-certificate-renewal) has the full path to service in its reload command (original PR). That was apparently my issue too—renewal was just fine but nginx never reloaded after renewal.

7 Likes

I just fixed 5 deployments that had this bug. Thank god for organization search on GitHub.

1 Like

Thank you sir! :slight_smile:

I still have the problem.
One of my certificates expires tomorrow mar/02, but my site already have the privacy error.
I try every single solution posted in here, but still no results.

Certificate file /etc/nginx/ssl/letsencrypt/xxxxx.cert already exists
Generating certificate for xxxxx.xxxx
Error while generating certificate for  xxxxx.xxxx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying orei.org...
Traceback (most recent call last):
  File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /srv/www/letsencrypt/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM, but couldn't download http:// xxxxx.xxxx/.well-known/acme-challenge/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM

Any clue?

How recent is your Trellis version?

It might be fastest to back up your database and uploads and try reprovisioning your server with a fresh copy of Trellis (and all your configs, of course).

Here’s a quick overview of how I update Trellis. There are better ways but this is fast:

Copy the following out of your Trellis directory:

.vault_pass
ansible.cfg
/group_vars
/deploy-hooks
/hosts
/nginx-includes

Delete everything in your Trellis directory
Clone Trellis from source into your Trellis directory
Copy back in and overwrite the following:

.vault_pass
ansible.cfg
/group_vars/development
/group_vars/staging
/group_vars/production
/group_vars/all/mail.yml
/group_vars/all/vault.yml
/deploy-hooks
/hosts

Then back up your database and uploads again!!! and rebuild and reprovision your server.

5 Likes

It was not me that make the installation and i never used trellis before…
One off my problems is that the ansible-playbook server.yml -e env=production -K --tags letsencrypt not run cause do not find the server.yml. Where i run this command?

About the version, how i get this information?

And there’s no way to install a fresh copy of trellis right now

Thaks!

Hello everyone, I got an issue.
My SSL renewal crashed yesterday.
I was able to do it manually today with this command which works perfectly ansible-playbook server.yml -e env=production -K --tags letsencrypt
However, I’m still interested in the automatic renewal!
I found out in the log that the process might have failed because of this -> ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
When I tried to access the folder (as root and web users) /var/lib/letsencrypt, the response was ‘Permission denied’.
Can someone help me with this? Please ask me if you need more details.
Thanks a lot,

@MWDelaney is this still a valid option to update trellis?
i saw that it is an old post (2017) but if it is still a valid option, i will try this way because it sounds straightforward to me.
thanks

1 Like

I am also wondering if this is still valid. I have some rather projects from the last 6 months to a year where the LE SSL is not being auto-renewed.

I would also like to know if the way @MWDelaney guides on trellis updating is still valid. I’d be happy to simply replace my current trellis files with a new one, just want to confirm which files are too be kept and restored.

1 Like

If you haven’t customized any other files within Trellis (which ideally you shouldn’t) then yes that process is basically correct and the easiest way.

Thanks @swalkinshaw for confirming this.
I’ll be attempting this over the weekend on a project.

I stumbled upon this issue today. A client notified me that the certificate was about to expire, so I went to investigate.

Seems like I’ve already applied the fix, but that it failed to run the cron job:

cat /etc/cron.d/letsencrypt-certificate-renewal
#Ansible: letsencrypt certificate renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload

Running it manually (as root), I had no issues:
cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
Certificate file /etc/nginx/ssl/letsencrypt/domain.tld-933ed6e-bundled.cert already exists
Generating certificate for domain.tld
Created certificate for domain.tld

Is it possible that the cron job simply is not running? How can I debug?

Make sure you’ve reprovisioned the server since updating Trellis. That should fix the cron job, too.