Let's Encrypt Certificate expired

Hey,

My infrastructure has been running for one and a half year by now.
I’m using version 1.3.0 of OpenBalena.
I’m using a Let’s Encrypt certificate generated and managed by OpenBalena.

As I understand, that certificate is created for 90 days and automatically refreshed when needed.
It seems that has worked for 1,5 years because I never had any errors related to expired certificate.

However today I realized that one of my Raspberry Pi had an error because it is blipping it’s LED, indicating it doesn’t have access to the Balena instance.

When I tried to connect to the Balena CLI to investigate is when I realized my certificate was expired.

CERT_HAS_EXPIRED: request to https://api.<mydomaine>/login_ failed, reason: certificate has expired

If I go to the api from my web browser, same story. The certificate was generated 3 months ago, and has now been expired for 3 days.

Validity
Not Before: Fri, 16 Apr 2021 23:09:24 GMT
Not After: Thu, 15 Jul 2021 23:09:24 GMT

I connected to my Balena Instance (running on DigitalOcean with no issues since october 2019), and tried restarting the cert-provider container with:

./scripts/compose restart cert-provider

That didn’t change anything. I also looked at the logs of that container, but there is nothing suspicious. Extract since I restarted (I first restarted the server, then a bit later manually restarted only the cert-provider)

For now my infrastructure “works” because the actual work takes place outside the Balena Instance, so I’m not in a critical situation. However, I cannot access my devices from Balena, and cannot login to the Balena CLI because of this.

I would appreciate your help in forcing the the Let’s Encrypt certificate to update.
Thanks in advance

Tim

Hey Tim,

We should first check if the certificate in use by openBalena is valid. Can you give a try to ‘curl https://api.your_domain/ping’ from inside the openBalena server?

By the way, I think the server needs a restart after the cert-provider is restarted. Might be worth trying if the curl command doesn’t return OK