SSL cert does not work after renewal via one is used in Gui

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: --renew -d

It produced this output: Renew: ''
[Fri Dec 16 22:21:23 MSK 2022] Renew to Le_API=
[Fri Dec 16 22:21:23 MSK 2022] Skip, Next renewal time is: 2023-02-05T09:01:52Z
[Fri Dec 16 22:21:23 MSK 2022] Add '--force' to force to renew.

My web server is (include version):nginx-1.18.0

The operating system my web server runs on is (include version):TrueNAS-SCALE-22.02.4

My hosting provider, if applicable, is:self

I can login to a root shell on my machine (yes or no, or I don't know):yes

So https connections fail and old cert is being used

Please show: --list
nginx -T | grep -i ssl


Main_Domain KeyLength SAN_Domains CA Created Renew "2048" no 2022-12-08T09:01:52Z 2023-02-05T09:01:52Z

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Use a capital "T" in:
nginx -T | grep -i ssl


same output

that's very strange...

try just:
nginx -T

That is the latest [valid] cert. |
The previous one is now expired :frowning:


nginx.txt (9.9 KB)

Right - it is expired but the system is still using it and that's what the error is about - expired ssl. The question is how to make the system use the new one? Is there an option in maybe to force it somehow or delete the expired one?

Well, it doesn't seem to have anything to do with nginx.
That only shows:

        server_name  localhost;
        listen       [::]:81;

One unrelated HTTP server block that is listening on port 81.

ps -ef | grep -Ei 'nginx|http|apache'
netstat -pant | grep -E '\:8|\:4'


Output.txt (13.2 KB)
I am about to step out for an hour or so

Very interesting output

Traefik running:

apps 21212 21162 0 08:25 ? 00:00:05 traefik traefik --global.checknewversion --entryPoints.main.address=:9000/tcp --entryPoints.metrics.address=:9180/tcp --entryPoints.web.address=:80/tcp --entryPoints.websecure.address=:443/tcp --api.dashboard=true --ping=true --metrics.prometheus=true --metrics.prometheus.entrypoint=metrics --providers.kubernetescrd --providers.kubernetesingress --providers.kubernetesingress.ingressendpoint.publishedservice=ix-traefik/traefik-tcp --entrypoints.web.http.redirections.entryPoint.scheme=https --entrypoints.websecure.http.tls=true --log.format=common --metrics.prometheus --ping --serverstransport.insecureskipverify=true --providers.kubernetesingress.allowexternalnameservices=true

One Apache running on port 8080:

root 5000 1 0 08:23 ? 00:00:00 /usr/sbin/apache2 -k start
tcp6 0 0 :::8080 :::* LISTEN 5000/apache2 

Three nginx running:

root      19808 19762 0 08:25 ? 00:00:00 nginx: master process nginx -g daemon off;
www-data  37559 37521 0 08:30 ? 00:00:00 nginx: master process nginx -g daemon off;
root     124876     1 0 09:16 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
tcp  0 0* LISTEN 124876/nginx: maste 
tcp6 0 0      :::81      :::* LISTEN 124876/nginx: maste 

And something else... trying to start nextcloud:

www-data  36429 36405 0 08:29 ? 00:00:00 /bin/sh -c /bin/bash <<'EOF' set -m echo "Waiting for notify_push file to be available..." until [ -f /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push ] do sleep 10 echo "Notify_push app not found... waiting..." done echo "Waiting for Nextcloud to start..." until $(curl --output /dev/null --silent --head --fail -H "Host: test.fakedomain.dns"; do echo "Nextcloud not responding... waiting..." sleep 10 done until $(curl --silent --fail -H "Host: test.fakedomain.dns" | jq --raw-output '.installed' | grep "true"); do echo "Nextcloud not installed... waiting..." sleep 10 done echo "Nextcloud instance with Notify_push found... Launching High Performance Backend..." /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push /var/www/html/config/config.php & echo "Configuring CLI url..." php /var/www/html/occ config:system:set overwrite.cli.url --value='' echo "Executing standard nextcloud version migration scripts to ensure they are actually ran..." php /var/www/html/occ db:add-missing-indices echo "Imaginary High Performance Previews enabled, enabling it on Nextcloud..." php /var/www/html/occ config:system:set preview_imaginary_url --value='' php /var/www/html/occ config:system:set preview_max_x --value='2048' php /var/www/html/occ config:system:set preview_max_y --value='2048' php /var/www/html/occ config:system:set preview_max_memory --value='512' php /var/www/html/occ config:system:set preview_max_filesize_image --value='150' # Remove all preview providers and re-add only selected php /var/www/html/occ config:system:delete enabledPreviewProviders # Add imaginary always # Initialize counter php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value='OC\Preview\Imaginary' php /var/www/html/occ config:system:set enabledPreviewProviders 1 --value='OC\Preview\PNG' php /var/www/html/occ config:system:set enabledPreviewProviders 2 --value='OC\Preview\JPEG' php /var/www/html/occ config:system:set enabledPreviewProviders 3 --value='OC\Preview\GIF' php /var/www/html/occ config:system:set enabledPreviewProviders 4 --value='OC\Preview\BMP' php /var/www/html/occ config:system:set enabledPreviewProviders 5 --value='OC\Preview\XBitmap' php /var/www/html/occ config:system:set enabledPreviewProviders 6 --value='OC\Preview\MP3' php /var/www/html/occ config:system:set enabledPreviewProviders 7 --value='OC\Preview\MarkDown' php /var/www/html/occ config:system:set enabledPreviewProviders 8 --value='OC\Preview\OpenDocument' php /var/www/html/occ config:system:set enabledPreviewProviders 9 --value='OC\Preview\TXT' php /var/www/html/occ config:system:set enabledPreviewProviders 10 --value='OC\Preview\Krita' # Set default phone region php /var/www/html/occ config:system:set default_phone_region --value='US' echo "Configuring High Performance Backend for url:" php /var/www/html/occ config:app:set notify_push base_endpoint --value='' fg EOF 

I don't use TrueNAS so I can't say if that is normal and expected OR not.

Seeing Traefik, I would think that is the first place to start troubleshooting/investigating.
But, also seeing Apache, I would really think that is a very good place to start troubleshooting/investigating.


I never had apache installed though which tells me I was possibly hacked?

Something installed it.
Let's see what it is doing, with:
apachectl -t -D DUMP_VHOSTS


*:8080 localhost (/etc/apache2/Includes/webdav.conf:2)

Yeah I activated WEbDAV I remember that - actually Nextcloud has it by default I guess

It's NOT nginx
It's NOT Apache
That leaves: Traefik

Did you install


yes I did

What is using it?
How did you get it to use it?


I had it initially installed on the system when I renewed it first time on my fresh install of Truenas Scale migrating from trueNAS Core. Shortly after that I had my system hard drive go bad so I reinstalled it from my backup config. By the time I needed to renew there were no acme in the system - gone. So I installed it again and renewd the cert. That's the story. As far as How did you get it to use it? - I have no clue

You continue to use the word "system".
But I'm unsure of exactly what "system" means.

I understand it is a TrueNAS device.
But there are many possible software that can run in it [and use a cert].