AWS Apache cert renewal question


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
coherentstudios.com & staxplanes.com

I ran this command:
sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/coherentstudios.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for coherentstudios.com
http-01 challenge for staxplanes.com
http-01 challenge for www.coherentstudios.com
http-01 challenge for www.staxplanes.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/coherentstudios.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/coherentstudios.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


My web server is (include version):
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-142-generic x86_64)

My hosting provider, if applicable, is:
none/AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

Now my question:
Does this mean my certificate will renew automatically via a cronjob tomorrow when it expires, or
do I need to run:
sudo certbot renew
manually?

The crontab includes:
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew


#2

Hi @b1ueskyz

maybe.

Nobody knows your exact configuration. And there are sometimes very buggy configurations. So check your certificates Friday, then you will see if the renew had worked.


#3

Pretty much a noobie-
A) How do I ‘check’ my certs?
B) If they have not renewed, do I: sudo certbot renew ?


#4

Why do you think they expire tomorrow?

Now checked your domains via https://check-your-website.server-daten.de/?q=staxplanes.com - there is no need to create new certificates:

CN=coherentstudios.com
	28.12.2018
	28.03.2019
	coherentstudios.com, staxplanes.com, 
www.coherentstudios.com, www.staxplanes.com - 4 entries

You can use your certificate this month.

Use your browser or an online tool.

Certbot start try to renew certificates if they are max. 30 days valide. So there is a lot of time.


#5

Thanks for the help. I was referencing tomorrow because I confused my websites. I believe my staxplanes.xyz expires tomorrow. But I will follow your guidance above and wait to see what happens. If not renewed by Friday, I’ll manually renew.


#6

Uh? I see, you have checked this domain via https://check-your-website.server-daten.de/?q=staxplanes.xyz

There is a very young certificate:

CN=www.staxplanes.xyz
	09.01.2019
	09.04.2019
	staxplanes.xyz, www.staxplanes.xyz - 2 entries

Certbot may renew that 2019-03-09 or 10, not this Friday.


#7

Sorry. I was going by emails I got from LetsEncrypt, I will now go by dates produced by [https://check-your-website.server-daten.de].

LetsEncrypt email:
Your certificate (or certificates) for the names listed below will expire in 10 days (on 07 Feb 19 12:46 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

staxplanes.xyz


#8

Please read the complete mail:

You have certificates with one and two domain names:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:staxplanes.xyz&lu=cert_search

One with only staxplanes.xyz ends 07.02.2019, this is correct.

But you don’t use this certificate, you use a certificate with two domain names. So you can ignore the mail:

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

You can use your browser or an online tool to check that.

If you see your webserver uses a new certificate -> ignore the mail.

Letsencrypt doesn’t know if you use the certificate with one or with two domain names. But if you have a certificate with two domain names, you don’t need one with one domain name.


#9

Please also use certbot itself to show you your certs along with their expirations:
certbot certificates