Edwin
March 20, 2020, 7:58pm
1
sudo ssl-cert-check -c /etc/letsencrypt/live/s3zipper.com/cert.pem
Host Status Expires Days
FILE:/etc/letsencrypt/live/s3zipper.com/cert.pem Valid Jun 2 2020 74
But the page shows that it is expired.
I can’t renew.
Do I need to delete the certs?
1 Like
Hi @Edwin
checking your domain - https://check-your-website.server-daten.de/?q=s3zipper.com#ct-logs
There is a new certificate:
But you don't use it, instead you use an expired certificate:
CN=s3zipper.com
20.12.2019
19.03.2020
1 days expired
blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com -
4 entries
How did you create the new certificate? What's your client? Did you restart your server?
If Certbot, what says
certbot certificates
2 Likes
Edwin
March 20, 2020, 8:11pm
3
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: s3zipper.com
Domains: s3zipper.com blog.s3zipper.com www.blog.s3zipper.com www.s3zipper.com
Expiry Date: 2020-06-02 04:04:25+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/s3zipper.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s3zipper.com/privkey.pem
I will restart now.
1 Like
rg305
March 20, 2020, 8:13pm
4
Edwin:
I will restart now.
Your script need to automatically handle restarts/reloads on successful renewals.
1 Like
Edwin
March 20, 2020, 8:15pm
5
But this is why i used Webroot. I thought this doesn’t need restarts or shutting down the server.
1 Like
rg305
March 20, 2020, 8:17pm
6
Webroot allows the authentication to complete - yes.
But, on completion, a new cert is issued.
The web server must let go of the old cert and start using the new one.
There are ways to gracefully restart most web servers and load the new connections to the new cert.
3 Likes
Edwin:
I will restart now.
Now your domain works.
So the missing restart fixed the problem.
1 Like
Edwin
March 20, 2020, 8:20pm
8
Yes, it was the restart. Will look into graceful restart.
2 Likes
rg305
March 20, 2020, 8:27pm
9
For nginx (most likely what you are using):
{/path/to/}nginx -s reload
should do the trick
1 Like
Edwin
March 20, 2020, 8:31pm
10
It is actually Golang.
So, reloading the server service will be sufficient using systemd?
I don’t want to take down the whole server if i don’t have to.
1 Like
rg305
March 20, 2020, 10:05pm
12
I don’t know for certain about how Golang operates…
In the worst case, you should be able to slap an NGINX proxy in front of Golang and do all the TLS terminations, and cert validations, within NGINX.
Osiris
March 21, 2020, 6:39am
13
nginx seems like a bit of overkill for just TLS termination. I recon stunnel
is lighter and perfectly suitable for the job.
system
Closed
April 26, 2020, 4:33am
15
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.