lgn42r
commented
1 year ago Same issue here.
Closed rPraml closed 1 year ago
lgn42r
commented
1 year ago Same issue here.
s1nbad
commented
1 year ago and here
edterbak
commented
1 year ago Same here :( Hope it is fixable
MattUkIps2018
commented
1 year ago Same issue here.
JamesB0T
commented
1 year ago "Error: certificate has expired" "Re-connecting to Alexa/ Google Home Skill MQTT server: mq-red.cb-net.co.uk
Certificate on https://mq-red.cb-net.co.uk/ expired 6.05.20-23 14:29:16 (LetsEncrypt)
Probably failed auto-update script on server (few weeks ago scripts was modified to fix another issue)
jimmycd
commented
1 year ago was already the same some time ago... apparentyl auto renew of certificate not working. i will check for alternatives. any recommendations?
coldfire84
commented
1 year ago Certs renewed as expected, it’s the restarts that haven’t worked, again. I’ve restarted the services manually and rejigged the scripts again. Cert renewal is mandatory, every two months - this is LetsEncrypt enforced, and we’re following all of the appropriate post renewal scripts to restart services. I’ve made the restart service impacting (vs trying to minimise impact).
Ironically, the error was different this time - the MQTT server cert renewed and updated without issue (issue form two months again, this time it was the NGINX proxy that handles the incoming API requests that didn't restart.
Total impacted service time was approx. 2 hours 48 mins. But this takes time to propagate.
coldfire84
commented
1 year ago was already the same some time ago... apparentyl auto renew of certificate not working. i will check for alternatives. any recommendations?
It’s a free service, ran with best endeavours🫡
coldfire84
commented
1 year ago Happy to review cert renewal process with anyone willing to contribute to the project.
JamesB0T
commented
1 year ago Happy to review cert renewal process with anyone willing to contribute to the project.
Unfortunately, my skill may be to low to help making that "proper way", but my observation from today - cert for mqtt cause problem with connection to mqtt server (which can be "fixed" by changing date/time on client device, but even with client connected - google home still does'nt work.
rPraml
commented
1 year ago Good work 👍👍
Cert renewal is mandatory, every two months
AFAIK certs are valid vor 3 months and renewal occurs one month before expiry. What do you think to restart the services every two weeks
coldfire84
commented
1 year ago Good work 👍👍
Cert renewal is mandatory, every two months AFAIK certs are valid vor 3 months and renewal occurs one month before expiry. What do you think to restart the services every two weeks
You’re right, certs have a three month life and certbot will renew them automatically after two months.
The restart of the services has to occur just after the certificate renewal, and there is a post hook/ script setup to run automatically after the renewal takes place that restarts the mosquito MQTT server instances and restarts the proxy. It’s this that has been an issue the last couple of renewals (and was an issue back in 2019).
CKerswell
commented
1 year ago Could you add a watchdog script that runs once per week and checks if the cert in use is due to expire in the next three weeks.
If it is, then the renewal should have already occurred, and the watchdog can restart the services.
If that works, great (but alert you that the main renewal script failed).
If it doesn't work (ie the cert in use is still due to expire in less than three weeks), then alert you that the cert renewal failed?
That then gives a few weeks to fix it before it causes an issue.
I'd be happy to contribute to that script if you wanted?
Top work getting the service back up quickly (and running it in the first place!) 👍
coldfire84
commented
1 year ago Have run a further renewal test tonight (in production) and have confirmed services reloaded with new certificates as expected. Revised post-renewal scripts are working.
I'm working on monitors/ notifications as belt and braces.
Describe the bug
Cloudflare reports Invalid SSL certificate Error code 526
If you're the owner of this website:
The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server.