SSL Cert Expired Warning

Symptom: browser warns that the UnifiedBX admin GUI cert is expired. UCP throws TLS errors. Some softphones fail TLS handshake.

Most Likely Causes

1. Let's Encrypt auto-renewal failed — cron didn't run, or LE couldn't validate (port 80 blocked).
2. Manually-uploaded cert simply expired.
3. DNS changed and the FQDN no longer points at this host — LE can't validate.
4. Cert exists but isn't set as default.

Diagnose

# What cert is being served?
openssl s_client -connect <fqdn>:443 -servername <fqdn> < /dev/null 2>/dev/null \
  | openssl x509 -noout -dates -subject -issuer

# Cert expiration check from CLI:
echo | openssl s_client -connect <fqdn>:443 2>/dev/null | openssl x509 -noout -enddate

# Manual renewal attempt:
fwconsole certificates --updateall

Fix

• Renewal failed: check that port 80 is reachable from the public internet (LE uses HTTP-01).

  curl -I http://<fqdn>/.well-known/acme-challenge/test
  

  If it doesn't work, fix port 80 first (firewall, NAT forwarding).
• Force renewal: System Admin → Certificate Manager → click the cert → Renew. Or CLI: fwconsole certificates --updateall.
• Cert exists, not default: Certificate Manager → click the cert → Default. Apply Config; restart Apache: systemctl restart httpd.
• DNS changed: update the cert request to match the new FQDN, or update DNS.
• Manually uploaded cert: generate a new one (LE preferred), upload via Certificate Manager → Upload Certificate, set as default.

When to Escalate

Cert renews but browsers still show old. Apache cache or browser pinning. Restart Apache and clear browser cache. If still wrong, you may have a cert pinned in HSTS — only resolved by waiting out the HSTS lifetime or matching the original CA.

Related Pages

• Manage Certificates
• Configure the Firewall