I got the expiration warning mails from letsencrypt.org but I thought I could ignore them.
Now Chrome warns that the cert has expired.
What could be the reason that the container didn't auto renew the certs?
It seems there were similar issues: #7
This happened to me to. Logs were saying that the cert didn't require renewal. I ended up moving the old cert to a backup folder and it generated a new one after that and I sort of just assumed that I was doing something wrong but maybe it is an issue.
Yes, my container says the same, even now as the cert is expired since 2 days:
Creating/renewal admin.xxx.ch certificates... (admin.xxx.ch)
2017-04-24 19:36:37,850:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
Creating/renewal api.xxx.ch certificates... (api.xxx.ch)
2017-04-24 19:36:38,715:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
Creating/renewal www.xxx.ch certificates... (www.xxx.ch xxx.ch)
2017-04-24 19:36:39,581:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
Sleep for 3600s
2017/04/24 19:41:33 Received signal: terminated
2017/04/24 19:41:33 Received signal: terminated
Reloading nginx proxy (using separate container nginx-gen)...
Creating/renewal admin.xxx.ch certificates... (admin.xxx.ch)
2017/04/24 19:41:34 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/update_certs'
2017/04/24 19:41:34 Watching docker events
2017/04/24 19:41:34 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/update_certs'
2017-04-24 19:41:35,300:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
Creating/renewal api.xxx.ch certificates... (api.xxx.ch)
2017-04-24 19:41:36,188:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
Creating/renewal www.xxx.ch certificates... (www.xxx.ch xxx.ch)
2017-04-24 19:41:37,056:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
Sleep for 3600s
This helped me quickly get new valid certs:
rm -rf /root/certs/*
docker stop nginx nginx-letsencrypt nginx-gen
docker rm nginx nginx-letsencrypt nginx-gen
docker-compose up nginx nginx-letsencrypt nginx-gen
But this certainly is an issue, since the documentation of the container says renewals should happen automagically.
Same thing here, just happened to me today.
Thanks for the quick fix @ScyDev, although this should really not need to be done in the first place.
Same for me, removing containers helped. But would be nice to have a proper solution.
same here - all containers on all servers not renewing
Could that be a bug on simp_le side rather than on letsencrypt-nginx-proxy-companion side ?
The container appears to be issuing the simp_le certificate creation command every 3600 seconds, which should trigger certificate renewal for certificates who are still valid for less than a fixed default duration.
Speaking of simp_le it looks like the original project https://github.com/kuba/simp_le has been abandoned by its author is no longer actively maintained. This fork is still in active development : https://github.com/zenhack/simp_le
Anyway if auto renew is not working at all that's a pretty serious bug.
Is there a suggested way to test / help ? (I don't have any certs nearing expiration at the moment)
Edit :
Or maybe the same issue as #121 and proposed fix #165 ?
I just ran into this too. Manually running /app/letsencrypt_service says renewal is not necessary:
2017-05-07 19:26:42,651:INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
but clearly it is necessary because the cert is expired:
bash-4.3# openssl x509 -dates -noout -in /etc/nginx/certs/domain.com.crt
notBefore=Feb 5 23:00:00 2017 GMT
notAfter=May 6 23:00:00 2017 GMT
Manually removing certs to force regeneration worked as a workaround for now...
Just experienced this as well, logs show
INFO:simp_le:1383: Certificates already exist and renewal is not necessary, exiting with status code 1.
yet certs have expired.
I was having the same issue until I upgraded to a newer Docker version.
@jokogr From which version to which version did you upgrade?
@ScyDev I think it was 1.12.6 and it is now 17.03.1-ce
I have also added the label parameter in the nginx container (--label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true), it was something I didn't have.
I just watched one of my certificates getting correctly auto renewed, perfectly on time (as soon as its validity went under 30 days / 720 hours) but as no change in configuration where picked up by docker-gen, it did not issue SIGHUP to the nginx container and the proxy was still serving the old certificate for this page, valid until may 23.
After a container restart the correct, renewed certificate is served, valid until august 22.
So certificate renewal does happen, but the proxy does not use the renewed certificates without a container restart.
PR #165 is aiming to fix this.
I'm using Docker version 17.05.0-ce, and the docker-letsencrypt-nginx-proxy-companion container that correctly renewed the certificates has all the commits up to b002a6b
I have another certificate scheduled for renewal in 17 days, I'll try to switch to a version of the container with #165 fix included before renewal happen to see if the fix works correctly.
I confirm that #165 fix works and that the container now properly reload the nginx proxy to have it serve the new certificates as soon as they've been renewed. No need to restart it anymore.
Do not forget to use the env variable NGINX_PROXY_CONTAINER=your_nginx-proxy_container if you don't or can't use volumes_from
Removing containers didn't help for me. Still failing CA verification (with docker cloud).
This is not the same issue as #211
Fixed by #165, closing.
Most helpful comment
I just watched one of my certificates getting correctly auto renewed, perfectly on time (as soon as its validity went under 30 days / 720 hours) but as no change in configuration where picked up by docker-gen, it did not issue SIGHUP to the nginx container and the proxy was still serving the old certificate for this page, valid until may 23.
After a container restart the correct, renewed certificate is served, valid until august 22.
So certificate renewal does happen, but the proxy does not use the renewed certificates without a container restart.
PR #165 is aiming to fix this.
I'm using Docker version 17.05.0-ce, and the
docker-letsencrypt-nginx-proxy-companioncontainer that correctly renewed the certificates has all the commits up to b002a6bI have another certificate scheduled for renewal in 17 days, I'll try to switch to a version of the container with #165 fix included before renewal happen to see if the fix works correctly.