Cert not renewing

I have exact same problem. The site has been running for 2 years and certs have been automatically renewing but today it didn't.

I do not have access to the person who set up the website. I am running google cloud shell. Do I have to install certbot on my shell to force renewal?

Is there a reason it suddenly stopped renewing? crt.sh | mes-forms-server.zume.com

Thanks in advance.

1 Like

The logically answer is obviously yes (given your implication that it has stopped, something must have caused that and there must be something to correct that happening).
I don't see how it hasn't renewed.
The renewal schedule was altered but it continues:

1 Like

rg305 let me rephrase my question: What are the reasons certbot will sopt renewing certificates suddenly after 2 years?

I am asking that so I can look at those reasons, otherwise if you have suggestions on how I can resolve this.

Will forcing a rebneal by using this "certbot renew --force-renewal" work?

It hasn't stopped, in fact: the renewal frequency has increased.

Also, in your first post you're asking if you should "install certbot". In the posts afterwards, you're acting like certbot is already installed. So I don't really understand now what's going on: what was the ACME client responsible for all those previous renewals? Probably not certbot if you have to install it in the first place? Please figure out first how all the previous certificates were issued. I.e., by which client and how.


Hello Oasis,

The website was setup 2 years ago and that whole team does not exist.

I took over from them but never looked at certificates as website was working and I have no experience with letsencrypt.

Now the website is down with symptom of "certificate date has expired" for both client service and API service.

That's all the information I have.

So now I am trying to troubleshoot with this community help and trying a few things on my own learning as I go.

While, as you said the frequency has increased, the reality is that certificates are in expired state with expiry of 12/03.

On another thread I saw you can force renewal using certbot.
So I logged into Google cloud shell and tried to install certbot on my shell account. Which may not be the right thing, I probably need to be in one of the certbot/acme container to run certbot.

Is there any specific information I xan give you that will help you help me?

Getting this error from cert-manager

cert-manager/secret-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.certmanager.k8s.io "proxy-metrics-tls" not found" "certificate"={"Namespace":"default","Name":"proxy-metrics-tls"} "secret"={"Namespace":"default","Name":"proxy-metrics-tls"}

@Osiris @rg305 Looking at events for certificate I see this:

Type Reason Age From Message

Normal OrderComplete 29m cert-manager Order "-------" completed successfully
Warning SaveCertError 29m cert-manager Error saving TLS certificate: resourceVersion should not be set on objects to be created
Normal OrderComplete 22m cert-manager Order "-----" completed successfully
Warning SaveCertError 22m cert-manager Error saving TLS certificate: resourceVersion should not be set on objects to be created

I would open the Windows certificate manager and IIS (if used) to review all the certs therein.
Then start by deleting all those that have expired or are no longer being used.
Then check the remaining certs to ensure the system has the (correct) private key to use it.
[deleting any that fail that test]
If any are left, use them.
If any names are uncovered, get new certs for those and use them were needed.

1 Like

All that certmanager stuff really is just gibberish to me to be honest.

1 Like

Good, that's is why we decided to move away from this useless "tool" and switched to GCP. Much better support and easy to fix.

Good luck!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.