Let's Encrypt certificate did not automatically renew

Hello,

I’ve done a search on this, but from what I can tell, since I used the default Discouse way to get my Let’s Encrypt certificate, it should renew automatically. But that didn’t happen. (see image below)

After a search on this forum, I installed certbot using ssh, but when I type in “certbot certificates”, it’s not even finding the expired certificate so “certbot renew” does nothing.

Is there something I’m missing? What exactly do I need to do to renew my certificate on my Discourse install?

Please let me know. Thanks!

2021-10-04_12-32-11444×1221 104 KB

Maybe this is related? Letsencrypt certificate failure to renew

Thank you for that. It seems like the solution recommended there is to rebuild the app and wait. Well, I did rebuild the app this morning just as a general prophylactic. If that really is the solution, maybe it will fix itself later today?

It’s still showing as expired…

what version of linux are you running?

did you also do an apt-get update / upgrade ?

It looks like it’s Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-159-generic x86_64).

And yes, I did an apt-get update and apt-get upgrade and rebooted my server.

I was hoping some kind of upgrade would fix the issue…

i just checked your cert. its valid

Thank you, Gavin. It is reporting as Valid in Chrome for me, but when I click on the certificate info itself, it is showing as expired. (see attached screenshot)

Are you showing a new, valid expiration date?

it looks all good on my side.

new date and everything

Ah. Good. It’s still not showing with a valid date in Chrome, even after I deleted my browsing cache, but I just checked in Safari, and I do see a new, valid date.

So, I guess rebuilding the app was the solution, and hopefully Chrome is just a caching issue.

Thank you for checking that out for me.

no problem. anytime

I believe that is the case. It can be difficult to get <some browsers> to report the correct cert, sometimes (and that’s more than I know).

I’ve seen a couple of cases where one had to clear the cache and restart Chrome before it showed the valid certificate.

Some browsers have a chain of trust cached which includes the old X1 leaf certificate - which LetsEncrypt has ended. They’ll “choke” when they get to that old cert and find it expired.
The predicament: Updated browsers are happy with the new shorter chain of trust whereas older browsers still want the longer chain of trust. It’s all about updating everything for more security.

One way of updating your server using acme.sh v3.0.1+ to use the preferred chain of trust is:

Preferred Chain · acmesh-official/acme.sh Wiki · GitHub

Set the shorter ISRG preferred chain system wide by default with letsencrypt and then renewing all certificates

acme.sh --upgrade
acme.sh --set-default-chain --preferred-chain "ISRG" --server  letsencrypt
acme.sh --renewAll --force

This is actually one of the very few times that the --force flag is appropriate.
Beware though… older browsers may refuse the shorter chain of trust and will insist on getting the cert. This can also be downloaded as an alternate chain of trust. I believe Lets Encrypt has a link expressly for that purpose. I’ll hop on over there, get that and post it here.

Roger this, JimPas. Thank you. Even after I cleared the cache in my Chrome and restarted it, I’m still seeing the old certificate. (But in different browsers, I can see that the certificate is renewed.)

Please let me know if you’re able to find that alternate chain of trust link.

Thank you for your help!

have you updated your Chrome Browser ?

type this in your url bar chrome://settings/help

Sorry for the delay - a little bit of an accident last night. Here’s the links to download the X1 & X2 certs and the intermediate leaf cert.
LE Root CA Certificates (PEM format):

ISRG Root X1
https://letsencrypt.org/certs/isrgrootx1.pem
ISRG Root X2
https://letsencrypt.org/certs/isrg-root-x2.pem

Intermediate Certificate (PEM format):

Let’s Encrypt R3
https://letsencrypt.org/certs/lets-encrypt-r3.pem