Skip to content

Runbook — TLSCertExpiring7d

TLSCertExpiring7d

critical

ops

Phase 30.2 / KAN-292

The critical-severity sibling of TLSCertExpiring30d. When a cert has fewer than 7 days remaining, escalation is immediate — there is no slack left.

Treat as urgent. Force-renew the affected cert immediately.

Terminal window
# Identify the affected domain from the alert's instance label, then:
docker exec innoqualis-certbot certbot renew --force-renewal --cert-name <domain> -v
docker exec innoqualis-nginx nginx -s reload
# Verify:
echo | openssl s_client -connect <domain>:443 -servername <domain> 2>/dev/null \
| openssl x509 -noout -dates

If renewal fails, this is the 2026-05-17 incident replaying — check the ACME challenge path:

Terminal window
curl -fsS -o /dev/null -w '%{http_code}\n' http://<domain>/.well-known/acme-challenge/test
# Expected: 404. If 301 (redirect to HTTPS) — the nginx ACME block was lost.

If 301 is observed, restore the location /.well-known/acme-challenge/ block in the port-80 server stanza (see the post-mortem for the 2026-05-17 incident in tasks/lessons.md).

If the cert cannot be renewed within 24 hours, file an emergency change with the on-call lead. Manual cert procurement (Let’s Encrypt staging → production) is the last resort.

2026-05-29 — ops (stub)