SSL certificate renews but it is invalid

I’ve been running for 10 months now.
2 times recently Jan and March I’ve had reports that the box ssl cert was about to expire. i.e had gone beyond the time when it should have happened automatically.
So I did it manually from the admin certs page, which stopped the error reports, and presumably resulted in valid certificates being installed.
Well the first time anyway, because today last one I installed has now actually expired (according to my browser and various SLL cert checking tools on the web).
However MIAB says it still has at least another 30 days to go.
Presumably, this is decided by the certificate file date rather anything to do with the contents.

I’ve tried repeating the renewal (by switching the current cert to an older cert) and using the admin page to provision a new one.

A new one was generated and put in place, but the internet still says it has expired.

I did notice that the renewal was remarkably quick. Other times the sequence has taken many seconds…

Reading account key from /home/user-data/ssl/lets_encrypt/account.pem.
Validating existing account saved to /home/user-data/ssl/lets_encrypt/registration.json.
Reusing existing challenges for xxxmail.xxx.co.uk.
The challenges for xxxmail.xxx.co.uk have been accepted.
Generating a new certificate signing request.
Requesting a certificate.
OK
mail services restarted
web updated

Please can anyone help?

Regards
Stef Bishop

Can you PM me your domain name? also please send some logs as well (/var/log/syslog if possible of when the error happened)

After my attempt to retry getting a valid certificate yesterday.

I got this message from miab this morning:
xxxmail.xxx-a.co.uk – Previously:

✓ TLS (SSL) certificate is signed & valid. The certificate expires on 06/28/18.

xxxmail.xxx-a.co.uk – Currently:

✓ TLS (SSL) certificate is signed & valid. The certificate expires on 07/08/18.

But browsers and the internet say it is out of date (expires 9th April 2018)

Anyone know how miab determines whether a cert is valid?

Hopefully, you have shared your domain name with murgero as it will be helpful to attempt reaching your site itself.

To me, and I am no expert so take this with a grain of salt, it sounds like the certificate has indeed been renewed, but somehow was not properly deployed. The logs may help determine if this is the case or not.

Hi,
yes I PM’d murgero.

A bit more info now.
When I said I’d used various internet sites to check the cert, they were all ones that talked to the webserver to find out.

I have now pasted my cert into a site which decodes the cert using the openssl commands and it reports the correct future expiry date.

So now it seems my problem is that the nginx server is not picking up the correct certificate.
Not sure if like apache it won’t start if the cert is wrong.

I thought nginx had been reloaded, as should happen automatically whenever a cert is updated.
However I notice the nginx processes have start dates of Jan 9 (start of my problems). And doing a reload doesn’t change that.

I’ve just done a stop start on nginx and voila its picked up the valid certificate!

So all working for now!

Alento, Yes, your assessment was correct!!!