Trouble with renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ettransport.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2 Likes

I had an employee who created my website and set us up with this certificate. He is now gone and I have no idea how to renew it. Help!

2 Likes

Welcome. :slightly_smiling_face:

I’ll try to help you out. Looking at the history of certificates for ettransport.com, I can see that you have 2 unexpired Let’s Encrypt certificates that have been automatically renewing every 60 days as normal:

Your domain registration with GoDaddy for ettransport.com is set to expire at 17:30:33 UTC on 9/12/2020, but might be set up for automatic renewal. I’m not sure about the expiration status for the hosting of your website.

It looks like ettransport.com and www.ettransport.com are still serving a certificate that expired on 8/4 even though a new certificate was generated that expires on 10/3. Similarly, dev.ettransport.com is still serving a certificate that expired on 7/8 even though 2 new certificates were generated that expire on 9/6 and 11/5.

Did you recently change server setups for your website?

https://crt.sh/?q=ettransport.com

2 Likes

Thanks so much for responding!

It is within the last two years that we had an employee create a new web site for us. I am not sure what the “dev.ettransport.com” would be, or why we would need 2 certificates, I am very inexperienced at this. All I know is that we have been using and advertising our www.ettransport.com website for years and now folks cannot log into it without getting security warnings, as the certificate has expired. And I am also not sure why it would not have simply automatically renewed.

The employee who set up everything is no longer working here and I cannot reach him, I am thinking he may have possibly received some type of renewal notice in his emails but i have not been able to find it. I know the Go Daddy domain registration is set to automatically renew.

How would I determine if he changed server setups when creating the website?

Sorry to be such a novice…

Stan

2 Likes

You’re very welcome. :slightly_smiling_face:

I know this kind of knowledge gap can be challenging when someone leaves. Let’s try to tackle things one at a time and see where we arrive.

I am not sure of what dev.ettransport.com would be either, but it currently returns a server error. Based on the “dev” it’s possible this could have been used as a sandbox for a copy to safely develop/update the website without affecting the main operation of the website. This would explain why it returns an error, which is not the best situation, but should only be a wart that shouldn’t affect anything. The separate certificate in this case is actually wise because it further divorces the operational (production) website from the development site and allows the development site to be hosted on an entirely separate server.

Referencing the information I provided in my first response, renewal certificates were issued, but evidently not installed. Considering that the website is still operational and to your knowledge the website was not moved to a different host, it is my guess that either the renewal process is requiring manual installation of the certificates or there is a configuration problem with installing the new certificates (which is unlikely given the substantial renewal history). There is also the possibility that the webserver simply needs to be restarted once the new certificates have been installed and the renewal process was unable to do so automatically. Therefore, I would suggest doing the following:

  1. Restart the webserver.
  2. Install the already-valid certificate you (should) have along with its corresponding private key.

I understand that you might not know how to accomplish these tasks. To help you with this, you’ll need to gather more information about your webserver hosting including the name of the hosting provider and what ACME client is managing your certificates (I’m guessing it’s certbot).

2 Likes

I bet it’s DigitalOcean for hosting provider, Nginx for web server, and probably certbot for certificate management.

2 Likes

My hat’s off to you for discovering/deducing the first two. :smile: I didn’t dig quite that deep. Probably should have though.

It’s so rare to see an operational system that’s successfully autorenewing, but not successfully installing new certificates. I’m really wondering what’s going on.

2 Likes

To be honest, i think this might be another “Failed to reload Nginx issue”. It might be either the reload was done by hand before or there’s some issue with the current nginx configuration.

2 Likes

I concur. I really hope it’s just a reload that’s needed.

2 Likes

I know that it IS Digital Ocean that is our hosting provider. I am not sure if Nginx is the web server, or how to find that out. Would the people at Digital Ocean be able to help me at this point?

1 Like

Just try running the following command to reload the webserver:

sudo systemctl reload nginx

Sadly, no. Your droplet at DigitalOcean is self-managed, which means the support team will be responsible for any hardware failures that occurred but not any software issues on your droplet.

1 Like