Browser said the certificate had expired, but it hadn't, why?


#1

Please fill out the fields below so we can help you better.

My domain is: oldmachardental.co.uk

I ran this command:

It produced this output:

My operating system is (include version): Ubuntu 14.04.4

My web server is (include version): Nginx

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Server Pilot


#2

Two main possibilities here

  1. The browser really was presented with an expired certificate. For example, the nginx server needs a “reload” step after the certificate changes, so that it begins presenting new visitors with the new certificate, without a break in service (a “restart” step stops, and then starts, the server, leaving a brief moment when the site is “not there” but this doesn’t happen with reload). So if reload wasn’t done, it would continue serving the old certificate even though the new one was now ready to go.

  2. The clock on the computer where the browser was running was wrong. If the computer believes it’s Christmas Day (25 December 2016) already, then a certificate that is in fact valid until November would seem to have expired. Most often clocks are found to be no more than 1 hour wrong, but occasionally through some mishap a computer is set up wrongly, and comes to have the wrong time or date. These days most computers are set to correct this by asking other machines on the Internet, but this setting could be disabled.

So we’d need some more information to help figure out which of these was the problem, or if there’s a third cause.


#3

Thank you, I very much appreciate your reply. It certainly wasn’t the date of the computer. I went into the server, stopped Nginx, and ran this command;

sudo -H ./letsencrypt-auto certonly --standalone -d yourdomain.com -d www.yourdomain.com

It tolled me the certificate didn’t need renewing, so I left it, then when I restarted Nginx everything was fine and the warning in the browser went away.

It was scary because I didn’t know what to do, at first I tried to redirect the https to http, to give me some breathing room but even that wouldn’t work - It just makes me feel like I shouldn’t be doing this for clients, but I like saving them money if I can, but at what cost… that’s why I’m now taking an Ubuntu crash course. (I copy and pasted code from a tutorial to get SSL to work, and it had been working fine up until today.)

So, if I hadn’t have restarted the server would this have just resolved it’s self eventually? How can I prevent this from happing again?

I have this script set up to auto renew;

#!/bin/sh
/opt/letsencrypt/letsencrypt-auto renew --agree-tos --email mtwebink@gmail.com

:slight_smile:


#4

I used my own domain in the command, hah


#5

You should reload (you can restart, but it causes a very brief period when the site isn’t available) nginx after each renewal. This tells nginx to switch to the new certificate, otherwise that won’t happen until it is restarted somehow.

One way to do cause the reload is to ask the certbot software to do it for you when renewal succeeds, by adding

--post-hook "/sbin/service nginx reload"

to the command you’re already running.

I think you are wise to take some other instruction, outside of the Let’s Encrypt site, to learn more about the responsibilities you’ve taken on running web sites. We are of course always happy to try to answer questions about Let’s Encrypt here, but we can’t hold everybody’s hands through every step, there just isn’t time.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.