One thing I"m noticing however is that the Certbot comand shows my certs having been renewed and are valid for 89 more days. The other command however, is still showing an expiration date coming up in about 10 days. When I inspect the ssl cert via Firefox it also shows an expiration date in about 10 days. Is there a way to verify that the live cert has been renewed?
I ran the force renew because “certbot renew” was throwing an error.
Thanks for posting in the community forum. I split your reply off of the original thread so that this particular question can be addressed. I think it will get better answers as a stand-alone topic
@schoen@bmw Do you know of a reason why Certbot’s certificates output would differ in the described way based on using --force-renew? Is it creating a different linage with less names because of a validation error?
Certbot renew threw the following error:
Attempting to renew cert from /etc/letsencrypt/renewal/growefoundation.org.conf produced an unexpected error: Failed authorization procedure. growefounda tion.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://growefoundation.org/. well-known/acme-challenge/_LrQ_o2IphQJnGwAL7bhRp-2RTGjzmuhLoVb9JP-l84: Connection refused, www.growefoundation.org (http-01): urn:acme:error:connection : : The server could not connect to the client to verify the domain :: Fetching http://www.growefoundation.org/.well-known/acme-challenge/fD769wzrCX2qUYrlp ukWgjZ1X9seaYxq3ugA6ma7DDI: Connection refused. Skipping.
I wasn’t sure what it was throwing that error and couldn’t find much on it so I just ran the force cert command, and it appeared to be successful.
The cert is now showing up correctly for both methods. I’m not sure if it it took additional time to notice the renewal, or if restarting Apache resolved the issue.
Thank you for such amazing support! I’ve never used a free product with support responding so quickly. I have been (and continue to be) very impressed with LetsEncrypt!
The --force-renew option doesn’t make renewal any more likely to succeed, it only makes renewal be attempted even when Certbot thinks it’s unnecessarily early. I don’t see any reason to think that using --force-renew would have been the factor that made the renewal succeed!
I just received an email noting that my cert will expire in 9 days. Is this normal?
I verified yesterday that the renewal was successful. Does the automated email system get updated at some point after renewal? Or do they just continue to be sent and then get sent again when approaching expiration in the future? Should I expect more emails up till May 06?
Thanks!
Hello,
Your certificate (or certificates) for the names listed below will expire in
9 days (on 06 May 18 15:46 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.
For details about when we send these emails, please visit Expiration Emails - Let's Encrypt. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
Normally, Certbot starts trying to renew a certificate 30 days before it expires. Since Let's Encrypt starts to send warning emails 20 days before it expires, you'll usually only get emails when renewal is repeatedly failing, or when you've deleted a certificate and Certbot's no longer managing it.
In February, 3 different certs were created for your domain:
Unless you're using the first certificate on another system, you probably discarded it back in February, so it hasn't been renewed, and you don't need it to be renewed. You'll receive another email or two about it. You can ignore them and they'll stop in 9 days.
Yes. Each certificate and renewal are separate and both are technically still valid. Also, there is no real way to know if one replaced another as you can get a cert (via certonly) and are not required to use it immediately - or you could be using it on another nearby system, etc.
So you will get a notice every time any cert nears expiration. I don't think you will get hounded by them thou.