For several domains, I only receive a single expiration email and always on the same day as the expiration date.
"Your certificate (or certificates) for the names listed below will expire in 0 days (on 16 Nov 21 05:07 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter erro"
how to configure a higher alert period, for example 5 days?
or why am I not alerted normally at 90 days, 30 days, and 10 days?
Hi @hlander and welcome to the LE community forum 
It would be helpful to provide a domain that was included in an expiry email.
To answer your questions:
As explained in the notice (see: https://letsencrypt.org/docs/expiration-emails/), the notification system tries to email at 20 days, 10 days and 1 day before expiry.
A 90 day setting would email everyone immediately after they get a new cert - all LE certs are only valid for 90 days. 30 days is the normal expected renewal time, so that too would email way too many users.
Why you haven't received the 20 day nor 10 day notices is not something that can easily be determined.
Start by providing a domain name and let's go forward from there.
In addition: It seems like the bigger problem is the lack of a functional automation process.
Why are your domains NOT renewing automatically?
[expiry emails are for when something has gone wrong]
It doesn't look like this FQDN has ever renewed on an automatic schedule:
can you give me a link to some documentation to do an automatic renewal test?
we have ubuntu servers from version 12 to 20
certbot normally sets up a cron job (or systemd timer) to execute "certbot renew" twice daily.
Which will check all the certificates on that system for less than 30 day expiry, if any are found then they are renewed.
Please check to see if you already have such a job:
[for older Ubuntu]
crontab -l
[for newer Ubuntu]
systemctl list-timers | grep certb
to do a test, I need to know the expiration date of a domain and I tried with
echo | openssl s_client -connect domaine.fr:443 2>/dev/null | openssl x509 -noout -enddate
but
unable to load certificate
140106674344384:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
I get:
echo | openssl s_client -connect domaine.fr:443 2>/dev/null | openssl x509 -noout -enddate
notAfter=Mar 12 23:59:59 2022 GMT
So I suspect that your system may be a bit outdated.
Please show the output of:
openssl version
OpenSSL 1.1.1f 31 Mar 2020
Is ca-certificates up-to-date?
I did not understand
I don't know which OS you have...
So try and show output of:
apt list ca-certificates | grep installed
If that fails, then try this and show the output:
yum install ca-certificates
I will look to automate the renewal, but I would still like to understand my alert problem. Why only one email alert and the same day.
Anyone have a solution?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.