I just discovered this post as a result of reviewing the expiration notify bot being removed. Could you explain or clarify how a webserver (linux / windows) might not restart as a result of not having a valid certificate?
The concern is not about a "valid" certificate. Osiris was warning about a "missing" cert. A web server (say, nginx or Apache) will fail to start if its config names a cert file that no longer exists. Web servers happily send out expired certs. It is the clients (like browsers) that don't like seeing expired ones sent out by the server.
It is a fair general warning because some people delete the cert thinking they want to start over not realizing they just damaged their web server. The Certbot docs explain one way to avoid that problem.
Another way is simply to remove the VirtualHost (Apache) or server block (nginx) that refers to the now non-existent file 
Then just put those back later if you want to use that domain name again with a cert. If you have redirects from HTTP to HTTPS remove those too.
3 Likes
Tx for your response in making me smarter.
I'm using a windows server. I know a little linux but I would be put into the dangerous category.
I asked the question because I've only been working with ssl certs for just over a year and I would like to have the knowledge on this issue so as to prevent downtime in the future as a result of some inadvertent loss of a certificate. That which might happen as a result of my inexperience and misuse of lets encrypt and wacs. Can I assume there would be entries in the linux httpd.config file if I were using linux ? I don't believe this issue applies to the windows server world. But that's why I'm asking. Googling hasn't turned up anything to say if I should ever worry about this happening.
Tx Mike.
Huh?
I'm pretty sure Linux Mint is not Windows.
Edit:
Ah, wait, this isn't your thread.. Windows works differently I guess, I don't have experience with that and Certbot shouldn't be used on Windows any longer.
I moved your posts into their own thread. We like each separate problem to have its own. Your comments had little to do with the other person's issue.
What issue exactly? That you somehow damage your server conf?
You should have test systems to avoid that. And, even health checks to ensure it is properly running. These can take many forms and is well beyond the scope of this forum. Many things can theoretically go wrong with servers. Not just certs.
You will have to review whatever future system you choose to use and how it is configured. But, yes, Apache has a conf file on linux systems too.
1 Like
So for Windows you are probably using IIS as your web server unless you have gone out of your way to use Apache or nginx. If your certificate becomes invalid the webserver will still work but your browser will complain that the certificate is expired etc and may prevent access.
You can generally tell if your certificate is being renewed by clicking your browsers padlock or website setting icon in the address bar then reviewing the certificate details and seeing if the Issued/Start date is recent. You can also search your domain on https://crt.sh/ to see recently issued certs.
If you just need more visibility of which certs are being renewed you can use a certificate moinotring tool, if you want to monitor failed renewals that can be more involved but if you use https://certifytheweb.com (which I develop) on Windows you will see visual status indicators for certs that have renewal problems and you will also automatically receive failure status reports if a renewals keeps failing.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.