Certificate not yet due tu renewal 17 days before expirates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.overthelog.com

I ran this command: certbot renew

It produced this output:
root@mail:/etc/cron.d# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.overthelog.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/mail.overthelog.com/fullchain.pem expires on 2024-07-07 (skipped)
No renewals were attempted.


root@mail:/etc/cron.d# date
jeu. 20 juin 2024 12:21:00 UTC

My web server is (include version): none it's a mail system i shut it off during renewal ( my cronjob does it )

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

certificate expires in 17 days but appears not yet due to renewal .

1 Like

i solved using :

certbot renew --force-renewal

Problem is i can't do it in my script (runned by cronjob)
does anyone ever had same issue ?

That's a weird one.

By any chance, you do you have a number of days before renewal (renew_before_expiry) specified in a config file somewhere, in some .conf file in /etc/letsencrypt/renewal or in /etc/letsencrypt/cli.ini? Looking at your cert history, it looks like it changed from being 30 days ahead to only 10 days ahead, after your 2023-08-12 renewal.

I don't think it's actually your issue, but can you be clear on what exactly your cron job is running? It generally should just run certbot renew, and your certbot configuration (from when you most recently ran it manually) would have --pre-hook, --post-hook, --deploy-hook, etc. to run scripts for whatever else needs to happen to open up firewalls or copy the certificates elsewhere or whatnot.

I also don't think it's really the issue, but certbot 0.40 is really old now; if your OS package manager doesn't have a newer version available, you might want to uninstall that version and then install the latest version via snap or pip.

7 Likes

hello peter and ty for concerns .

you are right it turned to 10 days into my /etc/letsencrypt/renewal/${domain}.conf
and i didn't see it before because there were a conflict between my mail-renew cronjob and certbot auto renewal cronjob, so i had to renew manually ( each time after expiration date ) .
3 month ago I understood where was the conflict and solved it in order it works without me.

my cronjob works simply , but once a month.
1 st turn off mail system on the server
2 certbot renew with nothing more so it does it standalone .
3 check if cert is still ok with the root chain into mailsystem ( when intermediate or root changes i need to update it myself )
4 if ok deploys certs and restart mailsystem if notok restart mail system and send me an email in order i get a look on it.

about certbot version : well it is the version that came with my linux distro. I have to consider deploying a new server as soon as possible.

my question is : if I change manually the 10days to 30 will it be ok or next renewal attemps will turn it again to 10 days ?

1 Like

You should be able to just change the 10 back to 30 if you want renewals to go back to 30 days in advance, yes.

And it should be easy to automate your system with certbot's hooks, so that you don't need to intervene when intermediates change (which they will regularly from now on), and so it only turns off the mail system when renewal is due rather than every time you run the renewal. Certbot renew is designed to be run at least twice a day, so that in addition to checking whether it's near the certificate expiration it can also check if there was some problem on Let's Encrypt's end that required them to revoke your certificate and for your server to get a new one. Let us know if you want help with that, but if you just don't want to touch something that works for you I understand that too.

5 Likes

as for now i'll let it be. i have to renew server & mailsystem.
I have to do it before next renewal, then i'll work on a better renewal script.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.