- Platform information:
- Hardware/OS: Linux openhabian 4.9.0-15-amd64 #1 SMP Debian 4.9.258-1 (2021-03-08) x86_64 GNU/Linux
- Issue of the topic: Installation of openhabian running well. But SSL cert updating problem
In April, I installed openhabian on a DigitalOcean droplet . Works great.
I followed these instructions regarding security - especially the Letsencrypt stuff.
All worked perfectly:
- Got the LetsEncrypt cert
- NGINX used it
- all good.
That original cert had this validity: 22/04/2021 to 21/07/2021
I made sure that Letsencrypt certbot would run (daily?) to renew the cert files as needed. I noted the default renew time is set to 30 days before expiry - which would be 21/06/2021.
I have looked in the location where letsencrypt stores the certs and see this
XXXX = my domain
root@openhabian:/etc/nginx/sites-available# ls -l /etc/letsencrypt/live/XXXX/
total 4
lrwxrwxrwx 1 root root 48 Jun 21 06:30 cert.pem -> ../../archive/XXXX/cert2.pem
lrwxrwxrwx 1 root root 49 Jun 21 06:30 chain.pem -> ../../archive/XXXX/chain2.pem
lrwxrwxrwx 1 root root 53 Jun 21 06:30 fullchain.pem -> ../../XXXX/fullchain2.pem
lrwxrwxrwx 1 root root 51 Jun 21 06:30 privkey.pem -> ../../archive/XXXX/privkey2.pem
So far so good … The cert files were updated on schedule on 21-June.
The NGNIX config file extract looks like:
root@openhabian:/etc/nginx/sites-available# cat default
server {
listen 80;
server_name XXXX;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name XXXX;
ssl_certificate /etc/letsencrypt/live/XXXX/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXXX/privkey.pem;
[...]
Good … NGINX is looking in the right place for the Cert files.
BUT
When I visit my URL I get this:
Note in the 2 above images (from my Chrome browser)
- 1st one says cert is valid
- 2nd says it is expired
I have
- restarted NGINX:
systemctl restart nginx
- tried to renew the certs again. See below. Nothing changes when the browser goes to my URL.
- tried different browsers (in case it was a cache issue)
root@openhabian:/etc/nginx/sites-available# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/XXXX.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/XXXX/fullchain.pem expires on 2021-09-19 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I am a bit lost as to why everything appears OK on the server side … but not on the browser side.
Clues anyone?