Can't renew, expired?


#1

Hello,
Maybe I have to ask one by one. I’ve been trying to renew one certificate, for the 5 whole days or so, applying many many different configurations of web server (http) (and firewall, name server, local configurations, etc.).

  1. the question was: when renewing, what permissions is the web server required to be given? But I just read a recent post where I see that even a web server is not required when renewing and that’s confusing to me. It is “http-01” challenge type and so I use the same method, local web server, but whatever configuration I apply, I gets “authorizations for these names not found or expired, status: 403”
    (I placed a html file every directory/path down to the acme-challenge directory and made sure all accessible.)
    So this question (as well) seems getting back to how the renew differ exactly from the first creation.

  2. I’m also confusing: expiration date for the renew itself. Is it the same as the certificate itself expiration date, or 30 (or 60) days before the certificate expiration? The certificate, I’m trying to renew, itself expires in 5 days.


#2

Please provide more information.

It should be exactly the same.

Likely something has changed, or is going wrong. :slightly_frowning_face:

It depends on the ACME client and its configuration. It’s common to start trying to renew a certificate 30 days before it expires, but clients can do anything (subject to the rate limits).


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

Thank you for your reply, mnordhoff.

Would you mean Letsencrypt client configuration or web server configuration, or? The web server configuration on the certificate creation had very basic configuration, without specifying even the domain name.

To be sure, I just tried once again to renew it with the exactly same configurations as advised, but it failed with the same error I stated above.
If the “machine” name has changed since the certificate creation, could that be a problem?


#4

That seems why I’ve felt it discussed differently. The man page for the client I use says “If the certificate already exists and is less than 30 days from expiry, acme-client will attempt to refresh the signature.https://man.openbsd.org/acme-client” In this case one can “renew” till 0 day from expiry, right?
What one can/should do after the expiry, if wants to continue to use the certificate or at least a new one again from Letsencrypt?


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.