Certs not renewing


#1

Hi,

I hope someone can help with why my certs might not be auto-renewing.

Previously I had this topic regarding how to create my certs: Running certbot without updating nginx virtualhost files

and ultimately created my cert and sub-domains using:

certbot certonly --nginx --cert-name mydomain.nz -d mydomain.nz -d www.mydomain.nz -d docker.mydomain.nz -d hass.mydomain.nz -d gitlab.mydomain.nz -d test.mydomain.nz -d nz.mydomain.nz -d ghost.mydomain.nz -d test3.mydomain.nz

However the last couple of days I’ve been getting email notifications that some of my sub-domains are expiring.

My understanding was that certbox should be attempting to auto-renew the certs based on the cron job that gets created:

matt@yoshi:~$ cat /etc/cron.d/certbot 
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Am I missing something here?

FYI - Using sub-domain method rather than wildcard because my DNS provider doesn’t allow txt records for certbox to work.

Thanks in advance,

Matt


#2

What’s your domain?

See:

It sounds like you probably had different certificates which have been deleted or replaced, and they’re expiring, even if your current certificate(s) are okay.

Edit: Also, what does “sudo certbot certificates” show?


#3

Ah yip. Yeah - that did cross my mind. I just wasn’t entirely sure what command[s] I should use to verify.

I see my actual cert I’m using is valid from ‎Monday, ‎18 ‎June ‎2018 to ‎Sunday, ‎16 ‎September ‎2018. So despite the emails, everything does look good.

matt@yoshi:~$ sudo certbot certificates
[sudo] password for matt: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.techlife.nz
    Domains: www.techlife.nz
    Expiry Date: 2018-10-14 09:53:51+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/www.techlife.nz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.techlife.nz/privkey.pem
  Certificate Name: www.docker.techlife.nz
    Domains: www.docker.techlife.nz
    Expiry Date: 2018-10-14 09:54:01+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/www.docker.techlife.nz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.docker.techlife.nz/privkey.pem
  Certificate Name: techlife.nz
    Domains: techlife.nz <list of other sub-domains removed> docker.techlife.nz www.techlife.nz
    Expiry Date: 2018-09-16 00:28:29+00:00 (VALID: 51 days)
    Certificate Path: /etc/letsencrypt/live/techlife.nz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/techlife.nz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I think I can delete Certificate Name: www.docker.techlife.nz as I have docker.techlife.nz covered by the last cert (with a ‘www’ redirect in nginx).

Is the proper way be to certbot delete www.docker.techlife.nz ?

I think the same for my top cert www.techlife.nz as I believe I’m using “www.techlife.nz” under Certificate Name: techlife.nz with the SANs field.

Thanks!


#4

Correct. https://www.techlife.nz/ is using the techlife.nz certificate. Unless you’re using the www.techlife.nz certificate with some other software, you can delete it, with:

sudo certbot delete --cert-name www.techlife.nz

An HTTPS website needs a valid certificate for its own name, whether or not it’s serving an HTTP redirect elsewhere.

At the moment:

(Some browsers will ignore that issue for “www” subdomains.)

So you can’t delete the www.docker.techlife.nz certificate if you want https://www.docker.techlife.nz/ to work. On the other hand, at the moment the www.docker.techlife.nz certificate isn’t actually being used and https://www.docker.techlife.nz/ doesn’t work anyway, so you can delete it without the situation getting any worse.

I’d suggest getting a new techlife.nz certificate for all the current names plus www.docker.techlife.nz, adjusting the web server configuration, and deleting the old www.docker.techlife.nz certificate.

The www.docker.techlife.nz issue aside, it looks like you’re all good regarding expiration and renewal.

What subdomains and certificates did the email(s) warn about?

Picking a random example, if it was gitlab.techlife.nz:

So for that subdomain, you probably deleted/replaced the old gitlab.techlife.nz certificate long ago and everything’s good. You still get the warning email because Let’s Encrypt doesn’t know any better, but you could safely ignore it.


#5

By the way, all of this data gets published in the Certificate Transparency log, so the existence of the other subdomains isn’t hidden from the public.


#6

Thank you very much for your informative support!

Much appreciated :slight_smile:


#7

Yip! Thanks for the FYI.

I was aware it’s public info, but I guess was just avoiding publishing an entire list of what I have on the community forum.

Thanks again for your help guys :+1:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.