Certificate renewed automatically - how? - why?

Help
1

My domain is: www.teanow5pm.co.uk

I ran this command (I think): letsencrypt.exe --plugin manual --manualhost www.teanow5pm.co.uk --validationmode http-01 --validation ftp --webroot ftp://ftp.teanow5pm.co.uk/public_html --username xxxxxx --password xxxxxx

Hi,
Some months ago (in March) I issued myself a certificate for a test domain. (Windows Apache.) Since I couldn’t use a local webroot for the domain during the challenge, I used a live webroot via my ftp server.

The process worked and I was happy; a certificate was issued and set to renew, or expire, on 20 June.

Several weeks had passed, when much to my surprise, the certificate was automatically renewed and a new expiry date in August set.

I would leave it the way it is, but I have recently received an email from Let’s Encrypt, informing me that my certificate will expire on June 20.

I’m kind of confused by that. Why was the certificate automatically renewed several weeks ago and why am I getting a message now, which states that the certificate will expire on the old expiry date?

More importantly, will renewals continue?

The non-live domain is installed on two machines (or drives). I only work on one at a time and sometimes both are switched off for the night.

Are automatic renewals affected when the server folder hosting the certificate, in my case “C:\ProgramData\win-acme\httpsacme-v01.api.letsencrypt.org”, cannot be reached, ie. because the machine is switched off?

What is the interval for automatic renewals, ie. what prompted the first renewal several weeks ago that extended the certificate until August?

Thanks for your help.

Best regards,
Tom

2

Hi,

The certificate you see is from CloudFlare...
You are using Cloudflare's cdn so you won't need to renew it.

That's the let's encrypt certificate automated expiry email.

The certificate from CloudFlare will auto-renew, the let's encrypt certificate will renew if you set it to.

The automatic renew of CloudFlare is depend on them. The renew for let's Encrypt is depend on the software you use (and crontab). Normally it's 10 days before expire.

If the computer is turned off, no let's encrypt renewal will be attempted because the process need to be initiated on your machine.

Thank you

3

However, if you use the Let's Encrypt certificate to protect the connection between CloudFlare and your origin server, that connection could break if the Let's Encrypt certificate expires without being renewed.

1 Like
4

Thanks for your reply.

How did Cloudflare acquire the certificate folder: C:\ProgramData\win-acme\httpsacme-v01.api.letsencrypt.org?

Also, the extended certificate that runs until August apparently was issued by the same authority: Let’s Encrypt Authority X3.

To my knowledge, Cloudflare uses a different root authority. Am I making a mistake in assuming the Let’s Encrypt certificate will automatically renew? I believe that I requested a renewal. The Let’s Encrypt expiry email however appears to suggest otherwise.

I never asked for a Cloudflare certificate. Are you sure?

5

There are two groups of recently-issued certificates for your site.

Here are some from Let’s Encrypt: https://crt.sh/?Identity=www.teanow5pm.co.uk
Here are some issued by CloudFlare: https://crt.sh/?Identity=%.teanow5pm.co.uk

CloudFlare has its own CA relationships and whenever you point a domain name at a CloudFlare CDN server and activate service, CloudFlare automatically uses its authority as the entity hosting your site to obtain a new certificate (normally from Comodo) which it uses when hosting your site. This is true whether or not you already have another certificate, such as your Let’s Encrypt certificates, and it doesn’t require your permission or cooperation. (Edit: although presumably CloudFlare’s general terms of service do mention that CloudFlare will do this and I believe it’s documented in CloudFlare’s online documentation. So I don’t mean to present it as some kind of rogue action on the CDN’s part!)

CloudFlare’s ability to use non-CloudFlare-issued certificates for public-facing CDN hosting is only available on specialized high-end CloudFlare plans, not its basic plans.

However, you might still be using your Let’s Encrypt certificate to protect the connection between CloudFlare and your origin server, in which case it might be important to renew it in order to prevent that connection from breaking. Your Let’s Encrypt client could have tried to renew it automatically if it’s set to run automatically by an automated job scheduler. I’m not very familiar with how this process works in Windows clients. It does appear that your Let’s Encrypt certificate was renewed most recently on May 17, but only you and CloudFlare can confirm whether that new certificate is being actively used between you and CloudFlare.

6

I vaguely recall scheduling a renewal task for the Let’s Encrypt certificate on my other machine. To check I’d have to log off and turn on the other computer.

It could explain why the certificate was renewed on May 17. This machine that I’ve been using for a few weeks does not have a task scheduled (yet).

My current hunch is that Let’s Encrypt did renew the certificate on May 17 and the June 20th deadline is obsolete. Could you confirm the correct expiry date for the Let’s Encrypt certificate is 8/15/2018?

Thanks.

7

In March you issued three certiticates:

  1. https://crt.sh/?id=357864839
DNS:teanow5pm.co.uk
DNS:www.teanow5pm.co.uk
  1. https://crt.sh/?id=361868797
DNS:www.teanow5pm.co.uk
  1. https://crt.sh/?id=362367332
DNS:teanow4pm.co.uk
DNS:teanow5pm.co.uk
DNS:www.teanow4pm.co.uk
DNS:www.teanow5pm.co.uk

However, you have only obtained renewals for the last two. The first certificate was never renewed.

That may be because the third certificate covers all the domains the first one did, so the first one is no longer necessary. But Let’s Encrypt has no way of knowing that—it could have been a test or accident—so they will still send you a warning e-mail.

8

#1 and #2 look like my handiwork; #3 doesn’t. It could be Cloudflare on my public-facing domain. I don’t know how they could have been aware of the private domain that I was issuing the certificate for, despite it being the same domain name and going via an ftp link to that server online for the challenge.

If you say the first certificate wasn’t renewed, does it imply that the second one was? The links you provided above only show that all three certificates originally expire on 20 June. There is no information on renewals.

Shouldn’t there be, if there was a renewal? (May 17 to August 15.)

Where can I find that information?

I hope I’m not asking too many questions.

9

I used @schoen's crt.sh query from earlier to find this information:

Unfortunately, I accidentally clicked one level up on the search results and that messed up my analysis a bit. It turns out you have two unrenewed certificates and the e-mail you're getting seems to be correct. Sorry for the confusion.

DNS:teanow5pm.co.uk
DNS:www.teanow5pm.co.uk
  1. Mar 17 07:16:37 2018 GMT - Jun 15 07:16:37 2018 GMT
  2. May 17 07:00:11 2018 GMT - Aug 15 07:00:11 2018 GMT

This was the first certificate you issued in March, and it was renewed successfully in May.

The other two certificates have not been renewed yet:

DNS:www.teanow5pm.co.uk
  1. Mar 22 02:30:29 2018 GMT - Jun 20 02:30:29 2018 GMT
  2. Mar 22 15:32:17 2018 GMT - Jun 20 15:32:17 2018 GMT

This certificate was issued twice in one day but never renewed in May. I think this is the test certificate you were worried about? It doesn't seem to be automatically renewing.

DNS:teanow4pm.co.uk
DNS:teanow5pm.co.uk
DNS:www.teanow4pm.co.uk
DNS:www.teanow5pm.co.uk
  1. May 15 21:02:53 2018 GMT - Aug 13 21:02:53 2018 GMT

This certificate was actually issued in May, not in March like I thought. It's not a CloudFlare certificate though, it was issued by Let's Encrypt:

Your real certificate (behind CloudFlare) is supposed to be the first one covering both the www and non-www right? That one seems fine.

The second one with just the www should be your test certificate. It has not been renewed. Should it have?

And you might want to ask colleagues about the third one?

10

The third certificate can’t have been issued by me. I only have a certificate that covers the “teanow5pm” domain. “teanow4pm” is online, so either my Web Host or Cloudflare are responsible.

It is sort of odd that they use two types of certificates, Comodo and Let’s Encrypt.

The certificate renewed once in May and that expires in August should be the correct one. I’m glad you found the expiry information.

In the task scheduled on my other Windows I will hopefully be able to see which of the certificates is being automatically renewed. I forgot about the task scheduler. My mistake.

I think it’s safe to let the June 20th expiry date just happen. If it invalidates my present certificate on June 20th, you will see me back here on June 20th.

Thank you very much for your help!
Tom

11

The web host would probably use Let's Encrypt (because it's free of charge to the public) and CloudFlare would probably use Comodo (due to their existing business relationship).

12

I agree. The Let’s Encrypt certificates may be a back-up to ensure SSL keeps working in case customers opt out of Cloudflare, offered free of charge on the Web Host.

Is it possible to determine whether a certificate was issued to me or my host? There were renewals May 15 for teanow5pm and May 17 for www.teanow5pm. Both could be mine, but I’m not sure. It doesn’t make much sense that there were two.

My renewal schedule seems in order. I run a daily task to request a renewal. The earliest I can renew the Let’s Encrypt certificate active on my computer(s) is on July 11.

13

No, not easily. You can consult your own logs and ask your host's support.

You can renew Let's Encrypt certificates whenever you want. The 30-day window is only a recommendation and a corresponding software default. If you renew very frequently, you may run into rate limits.

But as long as you comply with the rate limits, you can renew as often as you choose to, even if it's not the software's default behavior.

14

It has been some time since I read the documentation on renewal command line options. When I first issued a certificate back in March, I configured a task to run each day to request a renewal.

The task runs this command:
f:\letsencrypt\letsencrypt.exe --renew --baseuri “https://acme-v01.api.letsencrypt.org/

If I run the command manually, the output says:
[INFO] Renewal for certificate www.teanow5pm.co.uk not scheduled, due after 2018/7/11 8:00:12 AM

To achieve instant renewal, is there a parameter I could simply add to the command?

I was not planning to override the schedule, though, if it only requires adding a parameter, it might be worth trying.

Thanks.

15

Probably. I'd encourage you to consult the documentation for your client application, because I'm not familiar with its options. In Certbot we call this option --force-renewal, and it's important not to apply it to an automatically-scheduled unattended renewal task (to avoid hitting rate limits).

16

With win-acme (letsencrypt.exe) the parameter to force renewal is --forcerenewal without the dash.

https://github.com/PKISharp/win-acme/wiki/Command-line-arguments#arguments-for-renewal

1 Like
17

Wonderful. It worked. Renewed until 9/10/2018. The command parameter in win-acme was --forcerenewal used together with --renew.

The certificate doesn’t show up in the crt.sh database, indicating that it’s a private computer, I suspect, or it will appear in a short while.

Is there another database where I could look it up?

Thanks again.

18

I would suggest just waiting a few minutes and you should see it on crt.sh. You can also search

https://transparencyreport.google.com/https/certificates

There are more involved ways to search logs more "directly", but it's probably not worth it because you should see it via these interfaces soon.

19

Yes. The crt.sh database updated.

An educational experience. I think this thread can be marked [solved] with an exclamation mark.

Many many thanks for your help.

1 Like
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.