Expiration notice for Let's Encrypt certificate -

eivinlov · April 22, 2021, 7:41pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: forum.njordchallenge.com

I ran this command:

It produced this output:

My web server is (include version): Digital Ocean

The operating system my web server runs on is (include version): Ubuntu 20.04 (LTS) x64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi! I have followed this guide to set up a Discourse forum: discourse/INSTALL-cloud.md at master · discourse/discourse · GitHub.

This should enable Let's Encrypt certificate automatically, but I still get the expiry notice. The certificate expires in 10 days, and I would like to renew it before it expires. Could anyone help me out? I tried to install certbot to renew with no luck.

I made these commands:
-apt install certbot

Followed by:
root@njordsnewdroplet:~# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No renewals were attempted.

And:
root@njordsnewdroplet:~# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certs found.

Osiris · April 22, 2021, 8:00pm

Certbot can't renew what it doesn't know. If you didn't use certbot to get the certificates in the first place, it doesn't know about the existence of your certificates, as they were issued by a different ACME client.

If it expires in 10 days, you're probably talking about the certificate containing the hostnames forum.njordchallenge.com *and www.forum.njordchallenge.com. See crt.sh | forum.njordchallenge.com for a list of certificates for your hostname.

It seems you have other certificates issued after the one expiring in 10 days, but only for forum.njordchallenge.com. I don't know if you actually require the cert with the www subdomain?

It seems you've followed the guide at Set up HTTPS support with Let's Encrypt - sysadmin - Discourse Meta which uses acme.sh and should renew automatically.

JuergenAuer · April 22, 2021, 8:00pm

Hi @eivinlov

please read the complete mail and the link shared in the mail.

There is your answer.

eivinlov · April 22, 2021, 8:23pm

Hi! Thanks for your reply. I'm new to this, so excuse my poor knowledge of how things work.

It seems you have other certificates issued after the one expiring in 10 days, but only for forum.njordchallenge.com.

I can see that there are other certificates issued after the one expiring in 10 days for 'forum.njordchallenge.com'. I suppose I can "ignore" the notice with respect to this subdomain.

I don't know if you actually require the cert with the www subdomain?

I am not sure if I follow you on this. Are you suggesting that I might not need a certificate for www.forum.njordchallenge.com to enable HTTPS?

It seems you've followed the guide at Setting up HTTPS support with Let's Encrypt - sysadmin - Discourse Meta which uses acme.sh and should renew automatically.

If I remember correctly I only used the guide in the original post, which should set up Let's Encrypt by default, and therefore this guide would have been unnecessary. When looking through the guide you suggested, and looking in the "containers/app.yml " file it seems quite a similar set-up. I might be mistaken here, my recollection of how the forum was configured is unfortunately quite poor.

eivinlov · April 22, 2021, 8:27pm

Hi! Thanks for your reply.

As I wrote in my other reply, I am quite new to this and am still trying to learn how things are connected. I have read through the entire mail, and the links shared in the mail. Could you share with me where exactly my answer is hiding? I suspect this: " If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message." might has to do something with what Osiris were telling me about, but other than that I need to be enlightened.

Osiris · April 22, 2021, 8:28pm

You probably can, indeed.

If you'd look closely, you'd notice that the hostname www.forum.njordchallenge.com doesn't even use the certificate with the www subdomain. Google Chrome ignores this, as it has "whitelisted" the www subdomain to be ignored in some situations, but Firefox and/or Edge might have a problem with the actually incorrect certificate presented.

It all depends if you actually want the www subdomain. Personally, I find it superfluous if you already use the forum subdomain. Adding www doesn't really add anything IMHO.

Could be. The guide you've posted indeed says something about a "Let's Encrypt account email" which needs to be entered.

JuergenAuer · April 22, 2021, 8:29pm

There

you have your complete answer.

Letsencrypt doesn't know which certificate you really use.

griffin · April 22, 2021, 8:30pm

Welcome to the Let's Encrypt Community

You want to look at what certificates you are actually using (have installed) to determine what actually needs to be renewed. Let's Encrypt has no way of knowing which certificates you've been issued you will actually use.

Osiris · April 22, 2021, 8:31pm

Well, the www subdomain doesn't use the cert with the www subdomain, so you do the math

I think the main question is: what does OP want? Does it want an actually working www subsubdomain? Or is using the forum subdomain without www actually fine?

griffin · April 22, 2021, 8:33pm

What does it have in its pocketses, precious?

Yes, you are correct though, my friend.

eivinlov · April 22, 2021, 8:41pm

You guys are firing on all cylinders to help me out here, thanks so much.

Wow, I just learned how to do proper quoting as well.

Well, it would need to know what having an actually working www subsubdomain adds to the forum.njordchallenge.com. I can't immediately see any need for having a www subsubdomain, when the www is superfluous and things work fine without it.

eivinlov · April 22, 2021, 9:00pm

It seems like www.forum.njordchallenge.com is redirecting automatically to just forum.njordchallenge.com. Might mean that it really is superfluous. Anyways, I consider the problem solved. Conclusion: forum.njordchallenge.com has automatic renewal enabled. Don't care about the expiry of the certificate for www.forum.njordchallenge.com as www is old-fashioned and superfluous.

Thanks!

HardcoreGames · April 22, 2021, 10:08pm

if your server is apache

sudo certbot renew

should do the job

griffin · April 22, 2021, 10:23pm

Personally, I remove the www subdomain from all of my domain names anyhow for the very reason you've stated. Having the www subdomain can hurt SEO if proper url canonicalization is not implemented (by choosing a either non-www or www and sticking to it). However, in the case of www.forum.njordchallenge.com, the www is a second-level subdomain, which really isn't needed nor is it standard. I would highly recommend just removing the A record from your DNS for www.forum.njordchallenge.com.

But if https://www.forum.njordchallenge.com is presenting a certificate that doesn't cover www.forum.njordchallenge.com, many browsers will throw a huge warning before redirecting, which could cost you traffic (and search ranking).

Osiris · April 23, 2021, 5:09am

That's no use at all if, such as in this case, certbot wasn't used to get the certs in the first place.

system · May 23, 2021, 5:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.