Certificate seems expired but certbot renew says otherwise

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: georgyvlad.com

I ran this command: curl https://georgyvlad.com/

It produced this output: curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

I ran this command: certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/georgyvlad.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/georgyvlad.com/fullchain.pem (skipped)
No renewals were attempted.

My web server is (include version): nginx/1.6.2

The operating system my web server runs on is (include version): Debian GNU/Linux 8 (jessie)

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.9.3

Hi @georgyvlad,

Welcome to the community forum!

I see that your domain has issued newer certs than what is being reported by your webserver.
https://crt.sh/?q=georgyvlad.com

Here’s the certificate that is being reported from your webserver

$ echo | openssl s_client -connect georgyvlad.com:443 -servername georgyvlad.com 2>/dev/null | openssl x509 -noout -startdate -enddate
notBefore=Jan 23 23:25:02 2019 GMT
notAfter=Apr 23 23:25:02 2019 GMT

Can you try reloading nginx and running my test above? Failing that test, try restarting nginx instead.

Wow, thanks!

I didn’t realize I need to restart nginx to use renewed certificates…

I just restarted the nginx webserver and now the problem seems to be gone.

Do you know whether that is really the case - nginx needs to restart once in a while (or after certbot renew)?

Thanks a lot, by the way!

According to https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/#loading-a-new-configuration-using-signals you should be able to run systemctl reload nginx. The reload issues a SIGHUP which reads in the new/updated configuration. A certificate change counts as a configuration change to nginx. You can confirm that by using lsof too.

As for automatically reloading nginx during renewal, check out the certbot pre/post issuance hooks. https://certbot.eff.org/docs/using.html?highlight=hook

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.