Question

SSL cert renewed but droplet didn't apply it.

Posted March 31, 2021 383 views
Let's EncryptDigitalOcean Droplets

This might seem like an odd issue but I’ve checked in the past and saw that my SSL certificate was set to auto renew on 3/30/2021. I got an email from a client saying their site was showing a not secure error. I sshed into the droplet and I can see the SSL cert was automatically renewed. I actually had to reboot my droplet in order for it to recognize the new SSL cert. Is this normal? Anything I can do to prevent having to reboot the droplet next time my SSL renews?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi @dgrimesbusiness,

Hmm, that’s weird. What you can try next time is to restart your WebService (Apache/Nginx). Basically, when you make a change like this or editting anything in the configuration, you’ll need to restart/reload your WebService (if it’s a change there of course) so that change actually is applied.

To do so, you can do

Ubuntu/Nginx

systemctl restart nginx

Ubuntu/Apahce

systemctl restart apache2

CentOS/Nginx

systemctl restart nginx

CentOS/Apahce

systemctl restart httpd

Regards,
KFSys

  • Thank you so much for the reply! A couple of questions for you.

    1) I actually have the WordPress litespeed droplet, how would I go about restarting that service? I tried systemctl restart apache2 since litespeed works with apache but no luck.

    2) Is this something that I should plan on running everytime the SSL renews. Like should I set a calendar date to make sure I restart the server?

    New to Droplets so was kind of intimidated when my client reached out and said the site was insecure on the day the SSL renewed.

    Thank you!

    • Hi @dgrimesbusiness,

      1. Let’s start with the first question. If you are not sure which service you need to restart you can always follow one rule. Services that serve your website - WebServices usually listed on port 80 and 443. What you can do is SSH to your droplet and run the following command -

        netstat -tulpen | grep 443
        

        This will show you which service is listening on port 443. Once you know it, you can restart it.

      2. Can you confirm how are you renewing the certificates.? This might be pivotal to my answer.

      Regards,
      KFSys

      • Sounds great, thank you!

        1) Here is the list that is shows when running netstat >

        tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 22578 816/openlitespeed (

        udp 0 0 0.0.0.0:443 0.0.0.0:* 0 22599 816/openlitespeed (

        udp 0 0 0.0.0.0:443 0.0.0.0:* 0 22579 816/openlitespeed (

        2) When I first installed the Wordpress litespeed droplet from the marketplace, it had me set up lets encrypt initially (asks to input the domain, do I want to force SSL, etc) and then it installed lets encrypt for me and did the set up for me.

        3) If I run sudo systemctl status certbot.timer, this is my output >

        certbot.timer - Run certbot twice daily

         Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
        
         Active: active (waiting) since Tue 2021-03-30 21:58:55 UTC; 2 days ago
        
        Trigger: Sat 2021-04-03 06:53:52 UTC; 15h left
        

        Triggers: ● certbot.service

        To me, this shows that certbot is actively running and checking twice daily I presume? It looks like it looks correct?

        4) When I run sudo certbot renew –dry-run, this is my output >


        Processing /etc/letsencrypt/renewal/mysite.com.conf


        Cert not due for renewal, but simulating renewal for dry run
        Plugins selected: Authenticator webroot, Installer None
        Renewing an existing certificate
        Performing the following challenges:
        http-01 challenge for mysite.com
        http-01 challenge for www.mysite.com
        Using the webroot path /var/www/html for all unmatched domains.
        Waiting for verification…
        Cleaning up challenges


        new certificate deployed without reload, fullchain is
        /etc/letsencrypt/live/mysite.com/fullchain.pem



        ** DRY RUN: simulating ‘certbot renew’ close to cert expiry
        ** (The test certificates below have not been saved.)

        Congratulations, all renewals succeeded. The following certs have been renewed:
        /etc/letsencrypt/live/mysite/fullchain.pem (success)
        ** DRY RUN: simulating 'certbot renew’ close to cert expiry
        ** (The test certificates above have not been saved.)

        This also looks good to me when skimming over it I believe.

        5) If I run sudo certbot renew just for a test, the output is >


        Processing /etc/letsencrypt/renewal/mysite.com.conf


        Cert not yet due for renewal


        The following certs are not due for renewal yet:
        /etc/letsencrypt/live/mysite.com/fullchain.pem expires on 2021-05-30 (skipped)
        No renewals were attempted.

        This also looks good to me.


        So following that last command, to replicate what happened last time, on 05-30, the certificate will auto-renew, but the server for some reason didn’t recognize and use the new renewed certificates by itself? Is that what I presume?

        The certificates definitely auto renewed, because on the same day they were set to expire and the site was showing it wasn’t safe, I SSH’d in and saw the new expiration date of 05-30. So it’s the part after that of the server seeing the new certificates that seem to be not working right?

        P.S. I switched out that actual domain with mysite.com for example reasons.

        • Hi @dgrimesbusiness,

          Hmm, from the provided output, everything seems in order and the installation should’ve happened without a problem. Certbot seems to e be able to do everything that’s needed and everything is configured ( from what I can see) properly.

          I honestly can’t think of a reason why the certificate didn’t show except maybe that you had the website cached in your browser. I mean that and maybe the restart of openlitespeed service but that seems a little far-fetched.

          • KFS, thank you again for all your help! Same thing happened this go around when the SSL renewed. It renewed (May 30th) and the website now showed the website’s SSL had expired. I had to SSH into the droplet, run reboot to reboot it, and everything worked as normal. Is this something that’s happening because its open light speed and not an apache or nginx Server?

Hi @dgrimesbusiness,

I see you have experienced the same issue, I’m sad to hear that!

Anyway, I tried some other stuff to see if I can help you out. It seems the following service should be restarted when a new certificate has been installed:

service lsws restart

Maybe you can try and add it to be executed when the system certbot.service executes the certificate renewal.