LetsEncrypt Certificate for forum.kiwisdr.com expired today [no it didn't]
Just an Info, in case it has been overlooked: Currently some browsers, firefox for example, strictly refuse to contact the forum due to expired certificate - even without offering an option to continue at own risk. (I'm writing this with an older chrome version).
Comments
Except, it didn't. I've had this problem a few times in the past and for the life of me I can't figure out what's wrong (last occurred 25 July 2022). The certs are auto-renewed once a week. Here's their status when the forum was down:
root@forum:/www/logs# certs
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: drm.kiwisdr.com
Domains: drm.kiwisdr.com
Expiry Date: 2023-06-20 21:00:39+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/drm.kiwisdr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/drm.kiwisdr.com/privkey.pem
Certificate Name: files.kiwisdr.com
Domains: files.kiwisdr.com
Expiry Date: 2023-06-20 21:00:44+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/files.kiwisdr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/files.kiwisdr.com/privkey.pem
Certificate Name: forum.kiwisdr.com
Domains: forum.kiwisdr.com
Expiry Date: 2023-06-20 21:00:49+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/forum.kiwisdr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/forum.kiwisdr.com/privkey.pem
Certificate Name: tdoa2.kiwisdr.com
Domains: tdoa2.kiwisdr.com
Expiry Date: 2023-06-20 21:00:54+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/tdoa2.kiwisdr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tdoa2.kiwisdr.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All I've had to do when this happens is restart the web server (lighttpd). It had been running since the last reboot (85 days ago). That's my only clue. Maybe I need to reboot automatically once a month or something.
My whole experience with LetsEncrypt has been extremely negative. Not only does it not handle the private network case of IOT devices like the Kiwi but it seems very fragile.
Thanks, John, for explanation.
Firefox didn't allow to visit the site, but allowed to view the certificate. For whatever reason, it showed an expiration date of yesterday (21-Apr-2023).
My own experiences with LE stem from normal webservers only - and there I'm completely satisfied. Very robust and reliable over years - it just works. (I was almost tempted to say: setup and forget...)
Probably if the slightest thing is wrong the browser just says "cert expired". Or maybe lighttpd on my end has bugs. Who knows. I haven't got time for stuff like that. Like you say, it's just supposed to work..