Certbot: "Certificates" command shows different expiry dates than OpenSSL

In the past I’ve used the following command with sucess:
echo | openssl s_client -connect localhost:443 2>/dev/null|openssl x509 -noout -dates

Now I like the ease of just “certbot certificates”. I am however noticing after forcing a renew that they are showing different dates.

I ran:
sudo certbot certonly --force-renew --apache --cert-name myCertName.org -d www.myDomainName.org

Both should be valid commands.

One thing I"m noticing however is that the Certbot comand shows my certs having been renewed and are valid for 89 more days. The other command however, is still showing an expiration date coming up in about 10 days. When I inspect the ssl cert via Firefox it also shows an expiration date in about 10 days. Is there a way to verify that the live cert has been renewed?

I ran the force renew because “certbot renew” was throwing an error.

Hi @Wheatonrunner69,

Thanks for posting in the community forum. I split your reply off of the original thread so that this particular question can be addressed. I think it will get better answers as a stand-alone topic :slight_smile:

@schoen @bmw Do you know of a reason why Certbot’s certificates output would differ in the described way based on using --force-renew? Is it creating a different linage with less names because of a validation error?

What was the error?

What does "sudo ls -l /etc/letsencrypt/live/myCertName.org/" show?

Certbot renew threw the following error:
Attempting to renew cert from /etc/letsencrypt/renewal/growefoundation.org.conf produced an unexpected error: Failed authorization procedure. growefounda tion.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://growefoundation.org/. well-known/acme-challenge/_LrQ_o2IphQJnGwAL7bhRp-2RTGjzmuhLoVb9JP-l84: Connection refused, www.growefoundation.org (http-01): urn:acme:error:connection : : The server could not connect to the client to verify the domain :: Fetching http://www.growefoundation.org/.well-known/acme-challenge/fD769wzrCX2qUYrlp ukWgjZ1X9seaYxq3ugA6ma7DDI: Connection refused. Skipping.

I wasn’t sure what it was throwing that error and couldn’t find much on it so I just ran the force cert command, and it appeared to be successful.

“sudo ls -l /etc/letsencrypt/live/myCertName.org/” shows:
lrwxrwxrwx 1 root root 43 Apr 25 18:13 cert.pem -> …/…/archive/growefoundation.org/cert3.pem
lrwxrwxrwx 1 root root 44 Apr 25 18:13 chain.pem -> …/…/archive/growefoundation.org/chain3.pem
lrwxrwxrwx 1 root root 48 Apr 25 18:13 fullchain.pem -> …/…/archive/growefoundation.org/fullchain3.pem
lrwxrwxrwx 1 root root 46 Apr 25 18:13 privkey.pem -> …/…/archive/growefoundation.org/privkey3.pem
-rw-r–r-- 1 root root 543 Feb 5 16:46 README

The cert is now showing up correctly for both methods. I’m not sure if it it took additional time to notice the renewal, or if restarting Apache resolved the issue.

Thank you for such amazing support! I’ve never used a free product with support responding so quickly. I have been (and continue to be) very impressed with LetsEncrypt!

1 Like

The --force-renew option doesn’t make renewal any more likely to succeed, it only makes renewal be attempted even when Certbot thinks it’s unnecessarily early. I don’t see any reason to think that using --force-renew would have been the factor that made the renewal succeed!

1 Like

Your probably only got a cert:

and did not actually put it into production use.
So the cert renewed but did not match what was being served - until you restarted the web service.

1 Like

Schoen,
Thank you. I will look into it again shortly.

RG305,
Thank you. This makes sense.

I just received an email noting that my cert will expire in 9 days. Is this normal?

I verified yesterday that the renewal was successful. Does the automated email system get updated at some point after renewal? Or do they just continue to be sent and then get sent again when approaching expiration in the future? Should I expect more emails up till May 06?

Thanks!

Hello,
Your certificate (or certificates) for the names listed below will expire in
9 days (on 06 May 18 15:46 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

The email said:

For details about when we send these emails, please visit Expiration Emails - Let's Encrypt. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

Normally, Certbot starts trying to renew a certificate 30 days before it expires. Since Let's Encrypt starts to send warning emails 20 days before it expires, you'll usually only get emails when renewal is repeatedly failing, or when you've deleted a certificate and Certbot's no longer managing it.

In February, 3 different certs were created for your domain:

This month, 4 certificates have been issued:

Since the first certificate has never been renewed, you're still receiving warning emails about it.

https://growefoundation.org/ and https://www.growefoundation.org/ are both using the newest certificate at the bottom of list.

Unless you're using the first certificate on another system, you probably discarded it back in February, so it hasn't been renewed, and you don't need it to be renewed. You'll receive another email or two about it. You can ignore them and they'll stop in 9 days.

Yes. Each certificate and renewal are separate and both are technically still valid. Also, there is no real way to know if one replaced another as you can get a cert (via certonly) and are not required to use it immediately - or you could be using it on another nearby system, etc.

So you will get a notice every time any cert nears expiration. I don't think you will get hounded by them thou.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.