Discourse failure to renew certificate

RBoy · October 9, 2025, 3:38pm

Continuing the conversation from here:

I got a reminder from Redsift that my certificates are going to expire in a week. Usually discourse will renew the certificates well ahead of time. This time not so, before I start doing a rebuild (which is supposed to solve the issue), @Falco is there anything you want me to check and post back here to help get to the root of why the certificates did not renew?

The root certificate is ISRGX1 and here is the expiring certificate information:

Common Name (CN)	E6
Organization (O)	Let’s Encrypt
Organizational Unit (OU)
Issued On	Wednesday, July 16, 2025 at 7:36:45 PM
Expires On	Tuesday, October 14, 2025 at 7:36:44 PM

The current build is 3.6.0.beta1-dev (7ee52c8f85)

pfaffman · October 9, 2025, 5:39pm

There was a period of time that the endpoint that let’s encrypt needed was redirected. That’s fixed if you rebuild.

Dannii · October 22, 2025, 7:35am

About how long after I update should the certificate be renewed?

featheredtoast · October 22, 2025, 7:28pm

If memory serves the certificates are valid for 3 months, and they will now attempt to auto renew before then.

Dannii · October 23, 2025, 7:21am

Yes I know how it’s meant to work.

But it’s been over a day since I updated the forum software and the certificate doesn’t appear to have been updated yet. It’s got 5 days before it expires so it really needs to be renewed soon.

I’m on the Discouse stable branch if that makes a difference. Is it possible the endpoint fix hasn’t been backported?

RBoy · October 23, 2025, 1:05pm

For me the certificate updated immediately after the rebuild

Dannii · October 23, 2025, 8:27pm

Did you rebuild through the web or via the command line?

Canapin · October 23, 2025, 8:55pm

Yes, the explanation was here:

Dannii · October 23, 2025, 10:25pm

My forum has finally updated its certificate after I did a command line rebuild.

lessLost · October 26, 2025, 12:48pm

We have had the same experience of SSL not renewing.

It would be great if someone could double check that web.ssl.template is behaving correctly on discourse-docker, it appeared to me that port 80 was not actually serving any /.well-known/ URLs used by Let’s Encrypt, all URLs were forwarding to SSL including test files I manually placed into /var/www/discourse/public/.well-known/ . I had to edit /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf directly inside the app container.

Perhaps this started after commit ae4887a of discourse-docker?

pfaffman · October 26, 2025, 4:52pm

There was another error with the well known route in recent memory.

When’s the last time you did a rebuild?

Topic		Replies	Views
Let's Encrypt certificate did not automatically renew Support	14	2102	October 5, 2021
Unable to renew Let's encrypt certificate Installation letsencrypt	8	659	February 7, 2024
Letsencrypt certificate failure to renew Support	11	1574	October 8, 2021
SSL LetsEncrypt renewal not working (due to an extra reverse proxy on the outside) Installation	9	1067	October 16, 2020
Update no longer valid SSL certificate Support	16	1862	August 25, 2020

Discourse failure to renew certificate

Related topics