Certificate indicates expiry in 89 days but expiry email received and website failing

Problem:
I received email 10 days ago notifying me of the following domain expiries in 10 days.
I received another email today notifying me that the domains just expired, and indeed the domains have ceased to work exactly at the time indicated on the emails.
However when I logon to the server and try a certbot renew it indicates the certificate does not expire for another 89 days.
When I do a certbot certificates it indicates all of the domains are contained in the current certificate.
I much appreciate your help, as I do not understand why access to the websites is being restricted.

My domain is:
datajet.app, engine.datajet.app, file.datajet.app, test.datajet.app, testnode.datajet.app

I ran this command:
certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/datajet.app.conf


Certificate not yet due for renewal


The following certificates are not due for renewal yet:
/etc/letsencrypt/live/datajet.app/fullchain.pem expires on 2022-03-07 (skipped)
No renewals were attempted.


My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):
Debian 10

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

1 Like

You added doc.datajet.app to your latest certificate.

The expiry email would be referencing the previous certificate, without doc on it:

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Your websites seem to work fine for me. Which one isn't working?

4 Likes

Thank you for such an amazingly prompt reply!

You should see a login screen at https://datajet.app/datajetsoftware, but for me that stopped working at the same time as the old certificate expired. I now receive a 502 Bad Gateway from nginx. This is after a redirect to https://auth.datajet.app which is on another certificate. I can access https://auth.datajet.app directly with no problem, so do not believe that certificate is the issue.

1 Like

Maybe something erroneous is cached? I can see a perfectly fine login screen from my endpoint.

4 Likes

Confirmed. Other users can also access the site OK.

I am using a Windows client machine, and this happened last expiry too. Is this a common/known problem or is it just me? It may cause problems if our customers experience the same cache issue.

Perhaps the problem can be mitigate by having one domain per certificate so that the domain list doesn't change (if that is possible with certbot)?

Again, many thanks for your extremely prompt attention. :slight_smile:

2 Likes

Update: Clearing the browser cache resolves the issue.

4 Likes

3 posts were split to a new topic: FreeNAS cert renewal issue

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.