Certificate not secure AFTER renewal

The certificate is suddenly insecure starting today. I have a cron that attempts to renew on a weekly basis, so I was under the impression this would be done correctly. I manually tried to run the command as indicated below but I get a message that it’s not up for renewal yet.

This is on a client website that gets many requests a day and many sales.

Please fill out the fields below so we can help you better.

My domain is: www.evopoints.co.za

I ran this command: certbot renew --renew-hook "service nginx reload"

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.evopoints.co.za.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.evopoints.co.za/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 16.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I had just ran it with --force-renewal and the certificate is now valid.
I am however now terrified that this will happen again in future on this and other clients. Does anyone know why this happened in the first place and how to prevent it from happening in future?

There was already a valid certificate.

This certificate was issued April 13 and expired 1 hour and 4 minutes ago: https://crt.sh/?id=118299170

A newer certificate, presumably a scheduled renewal, was issued June 14: https://crt.sh/?id=154123240

Could you tell us what error message you received?

Is the cron job, systemd timer, or /etc/letsencrypt/renewal/www.evopoints.co.za.conf renewal configuration file also configured to run “service nginx reload”?

Edit: Can you tell if Nginx had previously been reloaded, perhaps from your archived Certbot letsencrypt.log or Nginx error.log files?

  • No error message received. Just the message (posted above) that the cert is
    not up for renewal yet.
  • Yes "service nginx reload" is also precent in the @weekly cronjob

I did in june have renewal issues (404 etc). During that time it’s plausible
that I renewed a cert without installing it.
It’s also possible that Nginx wasn’t reloaded at the time; Unlikely though
because our deploy scripts do a nginx reload when required, and we do a bunch of
deploys a month.

I think I did something silly like the above mentioned when I was doing the
debugging in June. I’ll monitor this for now and if any issues will revert back.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.