Background:

We have a small system that uses https to host some things.

So it has a certificate that we monitor to ensure that we see when the system fails before the next developer needs the system.

Everything was working fine until the certificate was updated.

The system is up, the certificate is fine, ... - but there is a permanent error state for this certificate.

There was no downtime with an invalid certificate as far as I remember.

Other monitored certificates:

There are some and at least one that should have been renewed before. But I do not know if any were being monitored before the renewal.

Data:

CA: Let's encrypt

Process: automated (CRON -> script -> ... -> replacement)

Error message: "$Domain: The certificate is expired"

Days to expire: 74

[Threshold for the alert: 10 days]

Issued date: Oct 28, 2019

Expiry date: Jan 26, 2020

Alert: for weeks, not interrupted

Tests:

Changing the threshold to 11 (days) and back to 10. (No update - so either no reevaluation or it failed.)

Changing it to 100 will send a new mail because the value is below the threshold. (Changing it back to 10 does not make a difference. With the old certificate this was working as expected.)

Ignoring the hostname and certification path is not helping either.

Hostname matches (certificate and config of the monitor)

Port is 443 and available.

Cert is accepted: Chrome, Firefox, ... (Site24x7 and the browsers show the same dates. So start and end of the validity should be fine.)

Other changes:

Possible, but I do not know about one.

Possible problems (on my list):

• For some reason the validity check fails. (That depends on how this is implemented - the value for the remaining days should be correct (and it is above the threshold) and start and end are correct. -> unlikely)
• error in the config (no idea where to search)
• changed certificate detected (-> the message would be misleading)
• CA will not be accepted in the future (-> again: misleading message)
• ...

Any ideas?
Is this a known bug?