Certificates not expired but page shows expired

sudo ssl-cert-check -c /etc/letsencrypt/live/s3zipper.com/cert.pem

Host Status Expires Days


FILE:/etc/letsencrypt/live/s3zipper.com/cert.pem Valid Jun 2 2020 74

But the page shows that it is expired.
I can’t renew.
Do I need to delete the certs?

1 Like

Hi @Edwin

checking your domain - https://check-your-website.server-daten.de/?q=s3zipper.com#ct-logs

There is a new certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-04 2020-06-02 blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com - 4 entries
Let’s Encrypt Authority X3 2020-02-19 2020-05-19 blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com - 4 entries

But you don’t use it, instead you use an expired certificate:

CN=s3zipper.com
	20.12.2019
	19.03.2020
1 days expired	
blog.s3zipper.com, s3zipper.com, www.blog.s3zipper.com, www.s3zipper.com - 
4 entries

How did you create the new certificate? What’s your client? Did you restart your server?

If Certbot, what says

certbot certificates
2 Likes

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: s3zipper.com
Domains: s3zipper.com blog.s3zipper.com www.blog.s3zipper.com www.s3zipper.com
Expiry Date: 2020-06-02 04:04:25+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/s3zipper.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s3zipper.com/privkey.pem


I will restart now.

1 Like

Your script need to automatically handle restarts/reloads on successful renewals.

1 Like

But this is why i used Webroot. I thought this doesn’t need restarts or shutting down the server.

1 Like

Webroot allows the authentication to complete - yes.
But, on completion, a new cert is issued.
The web server must let go of the old cert and start using the new one.
There are ways to gracefully restart most web servers and load the new connections to the new cert.

3 Likes

Now your domain works.

So the missing restart fixed the problem.

1 Like

Yes, it was the restart. Will look into graceful restart.

2 Likes

For nginx (most likely what you are using):
{/path/to/}nginx -s reload
should do the trick

1 Like

It is actually Golang.
So, reloading the server service will be sufficient using systemd?
I don’t want to take down the whole server if i don’t have to.

1 Like

With most services, yes.

1 Like

I don’t know for certain about how Golang operates…

In the worst case, you should be able to slap an NGINX proxy in front of Golang and do all the TLS terminations, and cert validations, within NGINX.

nginx seems like a bit of overkill for just TLS termination. I recon stunnel is lighter and perfectly suitable for the job.

You most probably do not have any visitors with very old browsers. Test on ssllabs.com is so complete to display all sort of minor problems. But if you really would like to investigate.