Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

cf121's avatar
cf121
OP
5 years ago
Level 3

Forge: LetsEncrypt cert failed to renew

Hello,

Today a TLS LetsEncrypt certificate expired on a load balancer I've got, which basically broke my site. I am trying to figure out why it didn't automatically renew. In the ~year I've had it running this is the first time it didn't renew the certificate. I also never received an email from Forge stating that it failed to renew a certificate (docs say this should happen: https://forge.laravel.com/docs/1.0/sites/ssl.html#renewing-letsencrypt-certificates).

At this stage I've fixed it by uninstalling and reinstalling a new cert (using the Forge UI).

From my understanding so far, cron will run the following:

/etc/cron.d/letsencrypt-renew-<some num>, which contains:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

56 21 * * 1 root /bin/bash /home/forge/.letsencrypt-renew/<id>> /home/forge/.letsencrypt-renew/<id>.out 2>&1

Within /home/forge/.letsencrypt-renew, there's the output file <id>.out that contains the following:

Certificate will not expire
Certificate is still valid.

This is the certificate that expired.

I can see that usually when a certificate is renewed, the output file would contain something like:

Creating challenge directory...
Installing LetsEncrypt client...
Configuring client...
Restarting Nginx...
Generating Certificate...
# INFO: Using main config file /root/letsencrypt<num>/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!
# INFO: Using main config file /root/letsencrypt<num>/config
 + Creating chain cache directory /root/letsencrypt<num>/chains
Processing api.<domain>.com
 + Creating new directory /root/letsencrypt<num>/certs/1616..........
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for <api.domain.com>
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for <api.domain.com> authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
Success!
1Installing Certificate...
Restarting Nginx...

So at this point I'm pretty unsure of why the certificate didn't automatically renew. Are there any other log files I can check, or can I test the current configuration to ensure that automatic renewal will work in the future?

0 likes
0 replies

Please or to participate in this conversation.