Incident: SSL Certificate Issues

Description

HTTPS services return invalid or expired certificate errors.

Symptoms

• Browser warning for invalid or expired certificate
• curl fails with certificate error
• Services using Let's Encrypt fail to auto-renew

Root Cause Checklist

• Expired or revoked certificate?
• Incorrect DNS or domain mismatch?
• Let’s Encrypt renewal misconfigured?

Resolution Steps

1. Check certificate status:

   openssl s_client -connect yourdomain.com:443
   

2. Check renewal logs:

   cat /var/log/letsencrypt/letsencrypt.log
   

3. Force renewal:

   certbot renew --dry-run
   certbot renew
   

4. Reload web service:

   systemctl reload nginx
   

Preventive Actions

• Use auto-renewal cronjob or systemd timer
• Monitor cert expiry (Grafana or custom check)
• Use DNS challenge if HTTP challenge is blocked

Tools & Commands

• openssl, certbot, systemctl, acme.sh, browser tools