Certbot renewing every certificate not just those close to expired

Getting rateLimited. It appears that certbot is renewing every certificate not just those that are under 30 days to expiration.

Version : certbot 0.10.2

Please fill out the fields below so we can help you better.

My domain is: https://www.flyershop.com Example expires 10/25/2017 and it is attempting to renew the certificate again.

#renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/www.flyershop.com/cert.pem
privkey = /etc/letsencrypt/live/www.flyershop.com/privkey.pem
chain = /etc/letsencrypt/live/www.flyershop.com/chain.pem
fullchain = /etc/letsencrypt/live/www.flyershop.com/fullchain.pem

I ran this command: /usr/bin/certbot renew --no-self-upgrade

It produced this output:

My web server is (include version):Haproxy

The operating system my web server runs on is (include version):Debian Jessie

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @jozwikjp,

Do you have a file /etc/letsencrypt/cli.ini? If so, could you post its contents?

If not, can you post the output of openssl x509 -noout -dates -in /etc/letsencrypt/live/www.flyershop.com/cert.pem?

Thank you for the quick reply.

nano /etc/letsencrypt/cli.ini

#authenticator = letsencrypt-haproxy:auth
email = ops@printsites.com

root@ip-10-6-0-202:/etc/letsencrypt/scripts# openssl x509 -noout -dates -in /etc/letsencrypt/live/www.flyershop.com/cert.pem
notBefore=Jul 25 11:37:00 2017 GMT
notAfter=Oct 23 11:37:00 2017 GMT

I’m going to go ahead and guess that your ‘renew-by-default’ line is causing this behavior. That is the (deprecated) command line flag to ignore expiry period and force renewal. Try taking that out?


BOOM - Headshot…

Thank you Jared!


This really shows why I should not have called it “renew-by-default”. That was sure to confuse people, and is still confusing them.

The option has now been renamed “force-renewal”, which I hope is clearer. We should try to find old tutorials that mention “renew-by-default” and get people to remove that name from their tutorials!

@jozwikjp, I’m glad you got this cleared up!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.