Certwatch on Centos 6.9


#1

Hi,
I am happily running Let’s Encrypt certs but certwatch is less pleased. Daily it emails me the following notice. Previously using the Let’s Encrypt script all was peachy. The script would drop a softlink to the certs in the indicated directory and certwatch seemed fine. Now with the change away from TLS-SNI-01 I moved to dehydrated that tends to move the certs into a sub directory with a different name. I changed the soft links to point to the new location and everyone is happy (appache, dovecot, etc.) with no config changes. The certs get renewed when necessary and it’s all good - except for certwatch. Any thought why certwatch is obviously finding the right certs but is thinking that they are closing in on expiry?

I know that I could likely rely on the auto-renewal to happen but I don’t mind the belt & bracers approach of having a backup check so that I know about problems before one check fails and someone complains :wink:

################# SSL Certificate Warning ################
  Certificate for hostname 'kahli.net', in file (or by nickname):
     /etc/letsencrypt/live/kahli.net/cert.pem

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.
 ##########################################################
                                  Generated by certwatch(1)

Thanks.


#2

If you’re using dehydrated, isn’t /etc/letsencrypt/ (the directory used by Certbot) now irrelevant? So just modify your Certwatch script to only look at the certificates you’re actually using.

For what it’s worth, I’m not a fan of this type of monitoring. It won’t catch a webserver not being reloaded after renewal, making sure the local MTA is functioning at all times is complicated, etc.

I find that uptime monitoring services (like Uptime Robot, Pingdom) do a much better job of taking responsibility for impending certificate expiry …


#3

Certbot is finding the directory by looking at the Apache config and that is where dehydrated is putting the renewed certs as well. All that is working perfectly, well other than certbot. So it is just that certbot does not seem to recognize that the certs are renewed.


#4

So this shows an unexpired certificate?

openssl x509 -in /etc/letsencrypt/live/kahli.net/cert.pem -noout -dates

#5

It reports:

notBefore=Mar  6 07:15:48 2019 GMT
notAfter=Jun  4 07:15:48 2019 GMT

closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.