sudo ssl-cert-check -c /etc/letsencrypt/live/s3zipper.com/cert.pem
Host Status Expires Days
FILE:/etc/letsencrypt/live/s3zipper.com/cert.pem Valid Jun 2 2020 74
But the page shows that it is expired.
I can’t renew.
Do I need to delete the certs?
1 Like
Hi @Edwin
checking your domain - https://check-your-website.server-daten.de/?q=s3zipper.com#ct-logs
There is a new certificate:
| Issuer | not before | not after | Domain names | LE-Duplicate | next LE |
|---|---|---|---|---|---|
| Let's Encrypt Authority X3 | 2020-03-04 | 2020-06-02 | blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com - 4 entries | ||
| Let's Encrypt Authority X3 | 2020-02-19 | 2020-05-19 | blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com - 4 entries |
But you don't use it, instead you use an expired certificate:
CN=s3zipper.com
20.12.2019
19.03.2020
1 days expired
blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com -
4 entries
How did you create the new certificate? What's your client? Did you restart your server?
If Certbot, what says
certbot certificates
2 Likes
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: s3zipper.com
Domains: s3zipper.com blog.s3zipper.com www.blog.s3zipper.com www.s3zipper.com
Expiry Date: 2020-06-02 04:04:25+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/s3zipper.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s3zipper.com/privkey.pem
I will restart now.
1 Like
Your script need to automatically handle restarts/reloads on successful renewals.
1 Like
But this is why i used Webroot. I thought this doesn’t need restarts or shutting down the server.
1 Like
Webroot allows the authentication to complete - yes.
But, on completion, a new cert is issued.
The web server must let go of the old cert and start using the new one.
There are ways to gracefully restart most web servers and load the new connections to the new cert.
3 Likes
Now your domain works.
So the missing restart fixed the problem.
1 Like
Yes, it was the restart. Will look into graceful restart.
2 Likes
For nginx (most likely what you are using):
{/path/to/}nginx -s reload
should do the trick
1 Like
It is actually Golang.
So, reloading the server service will be sufficient using systemd?
I don’t want to take down the whole server if i don’t have to.
1 Like
With most services, yes.
1 Like
I don’t know for certain about how Golang operates…
In the worst case, you should be able to slap an NGINX proxy in front of Golang and do all the TLS terminations, and cert validations, within NGINX.
nginx seems like a bit of overkill for just TLS termination. I recon stunnel is lighter and perfectly suitable for the job.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.