I’ve done a search on this, but from what I can tell, since I used the default Discouse way to get my Let’s Encrypt certificate, it should renew automatically. But that didn’t happen. (see image below)
After a search on this forum, I installed certbot using ssh, but when I type in “certbot certificates”, it’s not even finding the expired certificate so “certbot renew” does nothing.
Is there something I’m missing? What exactly do I need to do to renew my certificate on my Discourse install?
Thank you for that. It seems like the solution recommended there is to rebuild the app and wait. Well, I did rebuild the app this morning just as a general prophylactic. If that really is the solution, maybe it will fix itself later today?
Thank you, Gavin. It is reporting as Valid in Chrome for me, but when I click on the certificate info itself, it is showing as expired. (see attached screenshot)
Ah. Good. It’s still not showing with a valid date in Chrome, even after I deleted my browsing cache, but I just checked in Safari, and I do see a new, valid date.
So, I guess rebuilding the app was the solution, and hopefully Chrome is just a caching issue.
I’ve seen a couple of cases where one had to clear the cache and restart Chrome before it showed the valid certificate.
Some browsers have a chain of trust cached which includes the old X1 leaf certificate - which LetsEncrypt has ended. They’ll “choke” when they get to that old cert and find it expired.
The predicament: Updated browsers are happy with the new shorter chain of trust whereas older browsers still want the longer chain of trust. It’s all about updating everything for more security.
One way of updating your server using acme.sh v3.0.1+ to use the preferred chain of trust is:
This is actually one of the very few times that the --force flag is appropriate.
Beware though… older browsers may refuse the shorter chain of trust and will insist on getting the cert. This can also be downloaded as an alternate chain of trust. I believe Lets Encrypt has a link expressly for that purpose. I’ll hop on over there, get that and post it here.
Roger this, JimPas. Thank you. Even after I cleared the cache in my Chrome and restarted it, I’m still seeing the old certificate. (But in different browsers, I can see that the certificate is renewed.)
Please let me know if you’re able to find that alternate chain of trust link.
Sorry for the delay - a little bit of an accident last night. Here’s the links to download the X1 & X2 certs and the intermediate leaf cert.
LE Root CA Certificates (PEM format):