`certbot renew` succeeds and I don't understand why


#1

Hello all,

my server is accessible through HTTPS from the internet using a letsencrypt certificate and everything is running fine. My “problem” is, that I can renew my certificate, even port 80 of the internet-facing router interface is not listening.

Let me at first explain how I obtained the certificate in the first place:
My server is behind a router doing NAT; the setup is as follows:

Served by HTTP-daemon 1:

  • External port 27950 is forwarded to port 80 of my server in the LAN.
  • External Port 27951 is forwarded to port 443 of my server in the LAN.

Served by HTTP-daemon 2:

  • External Port 80 is forwarded to port 8080 of my server in the LAN. This daemon is running only for a few seconds to obtain the certificate using certbot certonly --webroot. After obtaining the certificate, the daemon is shut down and the other HTTP-daemon described above is reconfigured to make use of the certificate.

And here’s the thing: When I run certbot renew --force-renew the certificate successfully gets renewed, ALTOUGH, at this time, only HTTPd #1 is running. HTTPd #2, the one which listens on port 80 of the internet-facing interface, is NOT running.

I have found this post, which explains why renewal works without being accessible from the internet: Understanding certbot renew

However, it says

If you renew your cert during those 30 days there is no need to revalidate you domain but it doesn’t extend the validated authorization.

which is not true in my case. The images attached show, that in my case, the certificates expiration date clearly gets adjusted as well. So this post is not a sufficient explanation to the behaviour I witness.

Thank you!

Edit: Okay, new users can only upload one picture… So I can not show you a before-after-comparison. I guess you have to rely on my words.


#2

lifetime of certificate and lifetime of validated authorization is two different thing.
a CA can cache a domain control being checked, for 30 days.
for exemple,
1th day domain validate for exemple.com created a cert but exemple.com being under contol of acme account A
until day 30, LE can issue a new cert (with full lifetime) without vaildating control of that domani to A again.


#3

…hmm…
previously cached authentication - maybe


#4

I’m not sure if my understanding is correct. Does this mean that:

From Day 1 to Day 30 of obtaining a certificate:

  • certbot renew does not renew the certificate as it is not yet due to renewal
  • certbot renew --force-renew does renew the certificate without validation

From Day 31 to Day 60 of obtaining the certificate:

  • certbot renew does not renew the certificate as it is not yet due to renewal
  • certbot renew --force-renew does renew the certificate if validation succeeds

From Day 61 to Day 90 of obtaining the certificate:

  • certbot renew does renew the certificate if validation succeeds
  • certbot renew --force-renew does renew the certificate if validation succeeds

Is this correct?


#5

it’s From Day 1 to Day 30 of succeseful validation of domain
even if you got a new cert without validation the validation itself doesn’t refreshed.

tectically certbot’s renewal day calculated current cert’s life -30days, so if cert’s lifetime is shorter like 46 days, certbot will try renew first time at day 16 and it will be renewed by LE without additional validation. but at day 32 (second renewal) vaildation’s lifetime will over and needed to do validation again.


#6

Thank you very much, orangepizza! It is now clear to me.

Bonus questions: I know I can get the certificates Expiry Date using certbot certificates. I’m just curious, is there a way to get the current validation lifetime?


#7

as it’s something handled on server side, I don’t think there is way to know on client side?


#8

Validation lifetimes are not guaranteed.
So there is no way to know exactly when you will need to revalidate (short of 30 days).
[after 30 days you will always have to revalidate]


#9

You can read through /var/log/letsencrypt/ and find the logs from when the authorization was created or used – the authz JSON has an expires element – but it’s not displayed in Certbot’s UI.

(It’s interesting, but you shouldn’t operate an ACME client counting on Let’s Encrypt’s current behavior here. They could delete the old authz database, or change the lifetime, or something. You have to be prepared to validate again at any time.)

By the way, this isn’t really exposed by the ACME protocol, but CAs can use CAA records no older than 8 hours. Even if you’re reusing authorizations, Let’s Encrypt will do CAA DNS queries when necessary, and you won’t always be able to issue certificates if your DNS is down or your CAA records no longer permit Let’s Encrypt to issue.