Certs expire in 10 days, what are my options?

Hi there,

My domain is: tdmworld.net
My certs expire on 10th Jan and I missed renewing the certs. What are the possible options for me? Create the certs afresh? or something else? If i need to create afresh would there be any issue bcos the certs were already created?

2 Likes

You have not missed the chance to renew it (before it expires) :slight_smile:
You should have been presented with a "help form" when you started this topic as shown below.
Please answer as much of it as you can. The more information you provide the better and faster your topic can be resolved.



Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

3 Likes

Ok, good! The email i received at the time of renewal mentioned that i should renew 30 days prior to expiry, so I thought it wont allow to renew once that timeline is passed :slight_smile:

2 Likes

Those 30 days are to give enough time should something go wrong with the renewal process, there should be enough time to get it fixed before the cert expires.

The certs are free - they don't come with any "catch".
Like - you have to renew only when the moon is full or pay double the full price - LOL
They are always free!
On day 30th or on day 20th or any other day :slight_smile:

Maybe the subtle difference between "should" and "must" don't translate well...
There is no requirement that you renew at all, nor when, nor how.
It is merely most desirable and considered "best practice" to start the renewal process 30 days prior to expiry.

6 Likes

You can now delete the old certificate, and make a new one (optionally with auto-renewal) if you would like, but @rg305 mentioned that there is absolutely no obligation to do so.

3 Likes

Thanks a bunch! Renewed the certs today :slight_smile:

3 Likes

If applicable to your situation, you probably should also create a task to autorenew your certificates, so you don't have to do it manually (and maybe forget it).

For instance if you use certbot, it will check your certificates on a regular basis and renew them if necessary, so typically you won't ever see that email reminder.

2 Likes

Thanks @wiggisser. Also, looping in @rg305.
I am installing certs on VM which by default is only open to 443 and I am manually raising a ticket to open port 80 for allowing authentication (while creating/renewing certs). And the port 80 is closed immediately. Is there a way to get the authentication done over 443 (would be the best option if that's possible)? Alternatively, I have the option of requesting our support team to open port 80 only to a specific IP, is there a static/elastic IP that authenticates from your side? If that is the case I can ask them to whitelist that IP for port 80.

3 Likes

Is there a way to get the authentication done over 443 (would be the best option if that's possible)?

tls-alpn-01 is the only option for this; it is not supported by all webservers, environments, or clients.

Alternatively, I have the option of requesting our support team to open port 80 only to a specific IP, is there a static/elastic IP that authenticates from your side? If that is the case I can ask them to whitelist that IP for port 80.

No.

Your likely best option is DNS-01 authentication - https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

This can be securely automated with Certbot and a system like ACME-DNS (https://github.com/joohoi/acme-dns) See https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.