Update no longer valid SSL certificate

Hello All,

I have Discourse webpage where I have SSL cert issued for it.
The email address is in the app.yaml file.

However the cert is no longer valid and I need to update it.
./launcher rebuild app does not help.

How can I update the certificate in this situation?

Do you have cloudflare in front of your server?

No cloudflare in front.

Is this a letsencrypt certificate or some other kind? If it’s some other cert then you need to put the new cert wherever the old one was.

What is your site URL?

It is LE cert. Ive just added email for LE when setting up the whole site. Cant share the site URL but I can provide all needed info. Discourse is up to date.

Let’s Encrypt should automatically renew providing there is nothing proxying the connection.

Chrome has locked padlock so says the cert is ok, but the period for which the cert is issued is in the past saying, when opening cert, that it is out of date.

There is no proxy.

Arent there any manual way of update?

EDIT: Chrome+standard Windows info about cert says the cert if out of date, but Firefox says it is ok and the dates are valid.

1 Like

I don’t know which client you use, but if you use certbot certificates it will show all the certificates - expired and valid. If you’re still using the expired cert and do have a valid one, install the valid one.

But IMHO, this sounds like a problem to be solved at community.letsencrypt.org.

One thing to take note of: LetsEncrypt was designed to automate your renewals. If you run if with the certbot manual command, then you have to manually renew every 60-90 days. If you use certonly, once you’ve created the cert, you’ll have to install it yourself.

1 Like

I wasnt choosing cert app. This is the default discourse installation so I dont even know if this is certbot or acme.sh.

1 Like

Dear @pbies

According to the code:

https://github.com/discourse/discourse_docker/blob/2dfb77a35361f5b06bf59648048ed8530c88da57/templates/web.letsencrypt.ssl.template.yml

 exec:
       cmd:
         - cd /root && git clone --branch 2.8.2 --depth 1 https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh
         - touch /var/spool/cron/crontabs/root
         - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
         - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log"
         - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade

Hope this helps… :slight_smile:

2 Likes

This helps to understand that acme script is used to install/update. But still I dont find manual instruction to update cert. There should be some webpage for that. Later I will try to enter container and issue new cert based on this code.

1 Like

Hi @pbies

You might also enjoy looking at cron to see what command is running in the container crontab file:

For example, in your main app container:

crontab -l

Cheers!

3 Likes

@neounix
Before I update the cert, I would like to know why for Chrome (exactly Windows info about cert) the cert is no longer valid (out of date), but for Firefox the cert is valid and have expiry time in the future.

Maybe there is no need to manually update the cert?

If you’re just checking the certificate date in your browser, then it might show an old one because of the forum’s service worker. I don’t think this is a problem (though I don’t exactly know how it all works.)

1 Like

Dear @pbies

You can configure your setup anyway you want to try.

When I do it, I always configure the certs as I described in my post because it works easy and without problems.

There is no need to do “cert analysis” because you can just request a new one for free without an issue or problem.

I’ve tried and can’t say if it worked. Just hard-refreshed Ctrl+F5 the site in Chrome and cert is now valid. Seems like cache…

Thanks for your help guys!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.