Website shows certificate expired but certificate as still valid

When I opened my Website "frankhaefele.spdns.eu/wetter/" the browser showed the certificate is not valid and don't load the page.

But if I check the certificate in the ngingx server I saw the certificate is still valid.

What is going wrong here?
I am a little lost.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: frankhaefele.spdns.eu
    Key Type: RSA
    Domains: frankhaefele.spdns.eu
    Expiry Date: 2024-03-20 20:48:54+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/frankhaefele.spdns.eu/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My domain is:

-> https://frankhaefele.spdns.eu

My Version is:

certbot 1.12.0

My OS Version is:

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Hi! Was nginx reloaded or restarted after the certificate renewal?

Hi thanks for the fast reply.
I am actually not sure.
I will restart the system.

This is a rather drastic measure but sure. Judging by the certificate history for your domain, you were getting renewals every 2 month like a clockwork, which is good (with one instance of renewing after a month 2023-02-18→2023-03-11, which is peculiar). Looks like you were lucky to have your server rebooted within a month after renewal?

It's best to have your webserver reloaded automatically after renewal. What does /etc/letsencrypt/renewal/frankhaefele.spdns.eu.conf look like?

Hi so you mean it was luckily that I rebooted the system after renewal?
The conf look like:

# renew_before_expiry = 30 days
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/frankhaefele.spdns.eu
cert = /etc/letsencrypt/live/frankhaefele.spdns.eu/cert.pem
privkey = /etc/letsencrypt/live/frankhaefele.spdns.eu/privkey.pem
chain = /etc/letsencrypt/live/frankhaefele.spdns.eu/chain.pem
fullchain = /etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
rsa_key_size = 4096
authenticator = webroot
webroot_path = /var/www/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory

[[webroot_map]]
frankhaefele.spdns.eu = /var/www/letsencrypt

Can here be added an automatic reload after reneval?

Renewal config looks good at least. I'll let other volunteers to advise on how to “non-destructively” add a deploy hook to the existing lineage, I don't know how off the top of my head. Or you could look into deploy-hooks yourself.

Yes, your Certbot renewal config does not reload nginx. So, you must have had some scheduled reload or restart in the 30 days from when a cert was renewed but before it expired.

You should be able to add an auto-reload by running this once

sudo certbot renew --cert-name frankhaefele.spdns.eu --deploy-hook "nginx reload" --force-renew

where "nginx reload" is the command you use to reload nginx (a restart is not required)

I am not certain what Debian 11 uses but maybe like service nginx reload or its systemctl equivalent systemctl reload nginx

WARNING: This is one of the rare times that --force-renew is needed. We want to force renew early so to update the renewal config file. Only do the force once.

certbot reconfigure --cert-name "$SOMETHING" --deploy-hook "systemctl reload nginx"

(more or less, if your certbot is recent enough to have reconfigure -- it probably isn't)

Excellent idea except they are on 1.12 and need 2.3 for reconfigure

Hi guys,

thanks for the fast reply.
Can I add the --deploy hook stuff in the conf file?
For reload I used the last times sudo nginx -s reload

Changing the .conf file manually is not recommended. The value is not the same in the conf file as on the command line. Please use the command line. You could update your Certbot to the snap version and then use the reconfigure command like @9peppe suggested. See https://certbot.eff.org

You can omit sudo in the --deploy-hook because renew should already be running within a root user.

I found this in the directory /etc/cron.d

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Yeah, that's running a renew with root user. Do not modify that. Just run the renew command like I described directly from command prompt.

Is it easy to update to v2.3?

frank@pi-websrv2:/etc/nginx/conf.d $ sudo certbot renew --cert-name frankhaefele.spdns.eu --deploy-hook "nginx -s reload" --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/frankhaefele.spdns.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for frankhaefele.spdns.eu
Running deploy-hook command: nginx -s reload

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Does your system support snap?

Does that do anything when you run it [by itself]?

Excellent. The line about Running deploy-hook will now happen every time the renew command is run for that cert.

I am not sure about snap.
I have a commandline version of Debian 11 bullseye running on a pi.

nginx -s reload does reload the nginx config.
Yes, it does work so on the commandline.

@MikeMcQ
You mean the deploy hook command is now saved?
So it is doing reload nginx automatically?

Great Stuff....

frank@pi-websrv2:~ $ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/frankhaefele.spdns.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for frankhaefele.spdns.eu
Performing the following challenges:
http-01 challenge for frankhaefele.spdns.eu
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Dry run: skipping deploy hook command: nginx -s reload

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -