SSL LetsEncrypt renewal not working (due to an extra reverse proxy on the outside)

The cert for my discourse instance expired today, and it’s giving an error in the browser. I tried running the renewal manually as per:

It showed that the cert renewed, I can see it in the /shared/letsencrypt folder and it renewed correctly. I restarted nginx within docker. I did a rebuild of the instance, even after that it appears to be sending the old certificate.

I checked the domain with several sites, all say that the cert is expired, so it’s not just local.

Am I missing something ?

I just did the same instructions 15 days ago.

cd /var/discourse
./launcher enter app
"/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" --force
exit

The first thing I learned was that if you view the certificate with Chrome it may show invalid when in fact it is valid. See: Chrome / Chromium bug: SSL certificates show incorrect (expired) dates

I then tried

me@site:/var/discourse$ sudo ./launcher rebuild app

which did not work and finally

sudo reboot

The site was then working as expected.


While I note the step about rebuild I am not sure if it is needed, but it was a step I did along the way.

3 Likes

After trying for hours, and just after I posted this, I realized that because I’m using a multi-site deployment, with an nginx reverse-proxy, I had to also restart the outer nginx server, and it started working instantly.
I’m going to mark this as the answer, just in case someone lands up in this situation.

1 Like

I think the final sudo reboot may have worked for you because it restarted nginx - which is what I posted in my solution above.

1 Like

Couple notes about this:

  • in the referenced situation, the browser doesn’t actually show it as invalid in the address bar
  • depending on OS, it may not complain about the certificate date if you look at it

Did you find the root cause of why the certificate was not automatically renewing?

On the site I noted it was because it is not in a production mode so all e-mails are suspended, including the e-mails that would renew the the certificate.

The reason the e-mail was suspended is that it is part of the process of restoring the database, in the specific case it was restored from a different instance of Discourse.

The e-mail is disabled so that two sites are not sending out the same e-mails.

the only way that email is involved in the process at all is that LE might send you a warning if your cert is expiring and you haven’t renewed

1 Like

OK. Thanks. Now I have to find the root cause as to why the certificate did not automatically renew.

Any reason why a certificate would not renew?

Generally customisations the unexpectedly break the process. I would open a new topic showing your details and what you’ve done.

1 Like