Odd letsencrypt/certbot SSL expiry date issue


#1

Hi have a system running Wordpress on EE 3.

Some time ago (perhaps a year ago) I installed LetsEncrypt ssl on there, using instructions provided on EE documentation / forums.

In last 10 days the site has been (unknown to me) getting an SSL expired error in browsers. You can see the results of that here: https://www.ssllabs.com/ssltest/analyze.html?d=jonathanevatt.com

When I check the certificate, I get the following:

~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/jonathanevatt.com.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.29.1 renewal configuration file found at /etc/letsencrypt/renewal/jonathanevatt.com.conf with version 0.23.0 of Certbot. This might not work.
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/jonathanevatt.com/fullchain.pem expires on 2019-03-15 (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------

As you can see, the certificate does not expire until March 2019.

So I thought perhaps Nginx is using a certificate in another location. But I see in Nginx config that it’s calling the certificate from here: (in the /var/www/jonathanevatt.com/conf/nginx/ssl.conf file)

listen 		443 ssl http2;
ssl_certificate     /etc/letsencrypt/live/jonathanevatt.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/jonathanevatt.com/privkey.pem;

Would someone kindly explain how I can have an SSL certificate loading to browsers which differs from the one shown above?

Thank you,

Jonathan


#2

Try reloading nginx. Maybe the certificates were renewed but Nginx didn’t load the new certificates.

ee stack reload --nginx


#3

Thanks. That did the trick.
So, my next question… I’ll add the Nginx reload command to the end of my cron task.

Or is there a way to have certbot reload Nginx, if the certificate is updated?


#4

I found the answer to my question (assuming it works as intended)…

@daily sudo ee site update --le=renew --all --post-hook 'sudo ee stack reload --nginx' >> /home/jonathan99/logs/sslrenew.log

It’s my understanding the --post-hook will reload Nginx if the certificate is renewed. HOWEVER, does the ee handling of renewals accept that hook?
Or should I switch to using certbot directly?


#5

I’ve since discovered ee doesn’t accept a --post-hook. Is there a recommended way to handle the SSL updates without ee ? If it find to just use a standard certbot command?


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.