Cert renewal before fails before expiration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: surething.com

I ran this command: docker-compose run letsencrypt

It produced this output: The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'm not using Certbot, but using a docker-compose file with linuxserver/swag:1.20.0. My cert expires on 6/26. I get this message and then it stops without renewing:

"The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)"

I manually transfer them to our server. I've done this successfully in the past. Do I have to wait until the day before to run it successfully?

Thanks for any help/advice.

1 Like

I don't see any failure exactly? Can you be more elaborate? For example, answer all the questions of the questionnaire to begin with, next to more verbose messages about what's actually going on. And what kind of Docker stuff you're actually running. Currently we can only guess as we don't have anything to work with at all.


Here's my docker-compose file:

version: '3'
image: linuxserver/swag:1.20.0 # was linuxserver/letsencrypt
container_name: letsencrypt
stdin_open: true # comment out to not see output
tty: true # comment out to not see output
- PUID=197609
- PGID=197609
- TZ=America/Los_Angeles
- URL=surething.com
- SUBDOMAINS=wildcard
- EXTRA_DOMAINS=labelgear.com, www.labelgear.com, decalgear.com, www.decalgear.com
- DNSPLUGIN=dnsmadeeasy
- EMAIL=alert@surething.com
- DHLEVEL=4096
- STAGING=false # set this value to true to test
- ./xfer2:/config
restart: unless-stopped

Well, OK, sure, a docker-compose file.

Anyway, it seems that SWAG likes to live on the edge:

Here you can clearly see the SWAG renewal script which outputs the message you're seeing too waits until the certificate expires within 86400 seconds. Which is just a SINGLE day. Whereas Let's Encrypt recommends to start to try renewing 30 days (!!!) before expiry, so you have ample time to fix any issues that might have cropped up.

The file above is part of the SWAG Docker image, so I have no clue how to change that. You might want to take this up with SWAG themselves.

In any case, if all goes well, your certificate will be renewed somewhere between Jun 26 00:49:46 2023 GMT and Jun 27 00:49:46 2023 GMT.


Thanks! I wish it were longer but that at least explains it!

You might want to open an issue at Issues · linuxserver/docker-swag · GitHub with a request to make SWAG either renew earlier or perhaps make it configurable.


I am not at all familiar with that setup but to me it sounds like the one-day renewal is only in emergency. It sounds like it relies on a cron job for normal renewal. Perhaps the cronjob is failing? It's worth asking SWAG about that first.

But, I certainly agree if that is the only renewal mechanism it should be improved.


You're right Mike, looking at the following file, it seems there's also a daily cronjob running:

@cbad Please check the contents of the log file mentioned in the highlighted cron entry in the file above.


I do have an entry in that log file, but it looks old. I guess I'll find out tomorrow since the cron job was scheduled to run at 2:08am. Thanks for all the great info from you and Mike, much appreciated.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.