SSL Certs did not renew

I couldn’t get into my site because of expired certs. I know how to manage most systems, so I found a way in and got it fixed. My post is about why does this happen? I see many topics, mostly about how to get in and fix it that time. But what’s the cause? I have a page that specifically says:

All certificates will be automatically renewed through Let’s Encrypt 14 days prior to expiration.

So why did this not happen and why is the forum littered with this issue?

I have multiple MiaB severs with multiple domains and certbot renews the certificates without any issues.

Did you check your Box to see if the time and date are set correctly?

Is this a new install or a box you’ve been using for awhile?

Who is your VPS?

Can you ensure your box had internet connectivity at the time certbox ran?

Did you do any self help to check logs to see if there is a reason?
cat /var/log/letsencrypt/letsencrypt.log

Was there anything in the status checks emails about the renewal failing?

I don’t think this is a normal certbot installation. I clicked the button to add the certs within the MiaB web ui. I have other systems with the certbot script installed. But when I ran certbot renew it just said there were no certificates. MiaB handles them differently, albeit similar.

I think I actually disabled the status checks email.

I’ve got this over and over and over in the nginx log file:

nginx/error.log:2022/05/03 12:20:42 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.131:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 12:26:01 [error] 25234#25234: connect() to [2600:1406:34::b819:3864]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:34::b819:3864]:80, certificate: "/home/user-data/ssl/mail.kaptainblue.com-20220429-834ca89d.pem"
nginx/error.log:2022/05/03 12:27:01 [error] 25234#25234: connect() to [2600:1406:34::b819:3864]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:34::b819:3864]:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 12:35:04 [error] 25234#25234: connect() to [2600:1406:34::b819:3864]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:34::b819:3864]:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 12:40:58 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.131:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 12:49:56 [error] 25234#25234: connect() to [2600:1406:34::b819:3855]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:34::b819:3855]:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 12:55:07 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.131:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 13:04:18 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.131:80, certificate: "/home/user-data/ssl/kaptainblue.com-20220429-4729670b.pem"
nginx/error.log:2022/05/03 13:04:44 [error] 25234#25234: connect() to [2600:1406:34::b819:3855]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:34::b819:3855]:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 13:10:04 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.131:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 13:15:18 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.131:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 13:23:13 [error] 25234#25234: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.25.56.139:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"
nginx/error.log:2022/05/03 13:29:58 [error] 25234#25234: connect() to [2600:1406:34::b819:3864]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:34::b819:3864]:80, certificate: "/home/user-data/ssl/ssl_certificate.pem"

Not really sure what’s the issue. I don’t think my digital ocean box which has never lost connectivity before just went offline for days.

I know my network was not offline because I have a 3rd party tool used to monitor uptime and it never stopped receiving metrics.

What was found in the /var/log/letsencrypt/letsencrypt.log ?
Any errors?

This pattern twice a day up until yesterday when I forced a fix:

2022-04-30 09:53:26,418:DEBUG:certbot.main:certbot version: 0.31.0
2022-04-30 09:53:26,420:DEBUG:certbot.main:Arguments: ['-q']
2022-04-30 09:53:26,422:DEBUG:certbot.main:Discovered plugins: PluginsRegi
stry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standa
lone,PluginEntryPoint#webroot)
2022-04-30 09:53:26,443:DEBUG:certbot.log:Root logging level set at 30
2022-04-30 09:53:26,445:INFO:certbot.log:Saving debug log to /var/log/lets
encrypt/letsencrypt.log
2022-04-30 09:53:26,447:DEBUG:certbot.renewal:no renewal failures

Here’s a post on letsencrypt’s site about the issue with expired certs and the error I got:

I don’t know what version of client MiaB uses and I don’t know why it ever let it get expired in the first place.

the script that MiaB uses to provison/renew ssl certs is located in your install dir

should be: /root/mailinabox/management/ssl_certificates.py I’m not much of a python scripter but the code is commented fairly well

it would seem that the /root/mailinabox/management/daily_tasks.sh script calls the ssl_certificates.py script.

from there I believe that cron calls the daily_task.sh script via
/etc/cron.d/mailinabox-nightly

# Mail-in-a-Box --- Do not edit / will be overwritten on update.
# Run nightly tasks: backup, status checks.
6 3 * * *       root    (cd /root/mailinabox && management/daily_tasks.sh)

So unless you commented out any of these files or modified something - I’m not sure why it wouldn’t be working. Best I can say is keep your eye on it and see how the next renewal goes.