The browser really was presented with an expired certificate. For example, the nginx server needs a “reload” step after the certificate changes, so that it begins presenting new visitors with the new certificate, without a break in service (a “restart” step stops, and then starts, the server, leaving a brief moment when the site is “not there” but this doesn’t happen with reload). So if reload wasn’t done, it would continue serving the old certificate even though the new one was now ready to go.
The clock on the computer where the browser was running was wrong. If the computer believes it’s Christmas Day (25 December 2016) already, then a certificate that is in fact valid until November would seem to have expired. Most often clocks are found to be no more than 1 hour wrong, but occasionally through some mishap a computer is set up wrongly, and comes to have the wrong time or date. These days most computers are set to correct this by asking other machines on the Internet, but this setting could be disabled.
So we’d need some more information to help figure out which of these was the problem, or if there’s a third cause.
Thank you, I very much appreciate your reply. It certainly wasn’t the date of the computer. I went into the server, stopped Nginx, and ran this command;
It tolled me the certificate didn’t need renewing, so I left it, then when I restarted Nginx everything was fine and the warning in the browser went away.
It was scary because I didn’t know what to do, at first I tried to redirect the https to http, to give me some breathing room but even that wouldn’t work - It just makes me feel like I shouldn’t be doing this for clients, but I like saving them money if I can, but at what cost… that’s why I’m now taking an Ubuntu crash course. (I copy and pasted code from a tutorial to get SSL to work, and it had been working fine up until today.)
So, if I hadn’t have restarted the server would this have just resolved it’s self eventually? How can I prevent this from happing again?
You should reload (you can restart, but it causes a very brief period when the site isn’t available) nginx after each renewal. This tells nginx to switch to the new certificate, otherwise that won’t happen until it is restarted somehow.
One way to do cause the reload is to ask the certbot software to do it for you when renewal succeeds, by adding
--post-hook "/sbin/service nginx reload"
to the command you’re already running.
I think you are wise to take some other instruction, outside of the Let’s Encrypt site, to learn more about the responsibilities you’ve taken on running web sites. We are of course always happy to try to answer questions about Let’s Encrypt here, but we can’t hold everybody’s hands through every step, there just isn’t time.