Discourse failure to renew certificate

Continuing the conversation from here:

I got a reminder from Redsift that my certificates are going to expire in a week. Usually discourse will renew the certificates well ahead of time. This time not so, before I start doing a rebuild (which is supposed to solve the issue), @Falco is there anything you want me to check and post back here to help get to the root of why the certificates did not renew?

The root certificate is ISRGX1 and here is the expiring certificate information:

The current build is 3.6.0.beta1-dev (7ee52c8f85)

There was a period of time that the endpoint that let’s encrypt needed was redirected. That’s fixed if you rebuild.

About how long after I update should the certificate be renewed?

If memory serves the certificates are valid for 3 months, and they will now attempt to auto renew before then.

Yes I know how it’s meant to work.

But it’s been over a day since I updated the forum software and the certificate doesn’t appear to have been updated yet. It’s got 5 days before it expires so it really needs to be renewed soon.

I’m on the Discouse stable branch if that makes a difference. Is it possible the endpoint fix hasn’t been backported?

For me the certificate updated immediately after the rebuild

Did you rebuild through the web or via the command line?

Yes, the explanation was here:

My forum has finally updated its certificate after I did a command line rebuild.

We have had the same experience of SSL not renewing.

It would be great if someone could double check that web.ssl.template is behaving correctly on discourse-docker, it appeared to me that port 80 was not actually serving any /.well-known/ URLs used by Let’s Encrypt, all URLs were forwarding to SSL including test files I manually placed into /var/www/discourse/public/.well-known/ . I had to edit /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf directly inside the app container.

Perhaps this started after commit ae4887a of discourse-docker?

There was another error with the well known route in recent memory.

When’s the last time you did a rebuild?

Same here. I didn’t get a warning abount the cert’s expiration. Enterine the server and launching a rebuild /var/discourse % ./launcher rebuild did the trick.

In my testing on a vanilla nginx install (1.18.0 but I think it’s the same for 1.26.3), an nginx config line return 301 https://thehostname$request_uri; outside of a location completely overrides any earlier location block before it, rather than being a catch-all. I believe /.well-known/ simply isn’t served on port 80 unless the 301 redirect is specifically for another location such as / at the end of the server block. Could be the same problem as this stackoverflow post?

Glad rebuild works, but since the cert had already renewed for me, I couldn’t confirm that a rebuild would allow the Let’s Encrypt validation servers to get there if a cert had expired. Maybe a rebuild kicks off the cert renewal before that template line is in place or similar rather than fixing the templates, but I’m not able to confirm if that’s why rebuild gets the renewal to work.

If you think this is a Discourse but then perhaps you should reply on the github commit or open a new big report.