Odd letsencrypt/certbot SSL expiry date issue


Hi have a system running Wordpress on EE 3.

Some time ago (perhaps a year ago) I installed LetsEncrypt ssl on there, using instructions provided on EE documentation / forums.

In last 10 days the site has been (unknown to me) getting an SSL expired error in browsers. You can see the results of that here: https://www.ssllabs.com/ssltest/analyze.html?d=jonathanevatt.com

When I check the certificate, I get the following:

~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/jonathanevatt.com.conf
Attempting to parse the version 0.29.1 renewal configuration file found at /etc/letsencrypt/renewal/jonathanevatt.com.conf with version 0.23.0 of Certbot. This might not work.
Cert not yet due for renewal


The following certs are not due for renewal yet:
  /etc/letsencrypt/live/jonathanevatt.com/fullchain.pem expires on 2019-03-15 (skipped)
No renewals were attempted.

As you can see, the certificate does not expire until March 2019.

So I thought perhaps Nginx is using a certificate in another location. But I see in Nginx config that it’s calling the certificate from here: (in the /var/www/jonathanevatt.com/conf/nginx/ssl.conf file)

listen 		443 ssl http2;
ssl_certificate     /etc/letsencrypt/live/jonathanevatt.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/jonathanevatt.com/privkey.pem;

Would someone kindly explain how I can have an SSL certificate loading to browsers which differs from the one shown above?

Thank you,



Try reloading nginx. Maybe the certificates were renewed but Nginx didn’t load the new certificates.

ee stack reload --nginx


Thanks. That did the trick.
So, my next question… I’ll add the Nginx reload command to the end of my cron task.

Or is there a way to have certbot reload Nginx, if the certificate is updated?


I found the answer to my question (assuming it works as intended)…

@daily sudo ee site update --le=renew --all --post-hook 'sudo ee stack reload --nginx' >> /home/jonathan99/logs/sslrenew.log

It’s my understanding the --post-hook will reload Nginx if the certificate is renewed. HOWEVER, does the ee handling of renewals accept that hook?
Or should I switch to using certbot directly?


I’ve since discovered ee doesn’t accept a --post-hook. Is there a recommended way to handle the SSL updates without ee ? If it find to just use a standard certbot command?

closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.