Certwatch on Centos 6.9

Maturity · March 17, 2019, 11:26pm

Hi,
I am happily running Let’s Encrypt certs but certwatch is less pleased. Daily it emails me the following notice. Previously using the Let’s Encrypt script all was peachy. The script would drop a softlink to the certs in the indicated directory and certwatch seemed fine. Now with the change away from TLS-SNI-01 I moved to dehydrated that tends to move the certs into a sub directory with a different name. I changed the soft links to point to the new location and everyone is happy (appache, dovecot, etc.) with no config changes. The certs get renewed when necessary and it’s all good - except for certwatch. Any thought why certwatch is obviously finding the right certs but is thinking that they are closing in on expiry?

I know that I could likely rely on the auto-renewal to happen but I don’t mind the belt & bracers approach of having a backup check so that I know about problems before one check fails and someone complains

################# SSL Certificate Warning ################
  Certificate for hostname 'kahli.net', in file (or by nickname):
     /etc/letsencrypt/live/kahli.net/cert.pem

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.
 ##########################################################
                                  Generated by certwatch(1)

Thanks.

_az · March 18, 2019, 12:20am

If you’re using dehydrated, isn’t /etc/letsencrypt/ (the directory used by Certbot) now irrelevant? So just modify your Certwatch script to only look at the certificates you’re actually using.

For what it’s worth, I’m not a fan of this type of monitoring. It won’t catch a webserver not being reloaded after renewal, making sure the local MTA is functioning at all times is complicated, etc.

I find that uptime monitoring services (like Uptime Robot, Pingdom) do a much better job of taking responsibility for impending certificate expiry …

Maturity · March 18, 2019, 2:18am

Certbot is finding the directory by looking at the Apache config and that is where dehydrated is putting the renewed certs as well. All that is working perfectly, well other than certbot. So it is just that certbot does not seem to recognize that the certs are renewed.

_az · March 18, 2019, 2:23am

So this shows an unexpired certificate?

openssl x509 -in /etc/letsencrypt/live/kahli.net/cert.pem -noout -dates

Maturity · March 18, 2019, 10:45am

It reports:

notBefore=Mar  6 07:15:48 2019 GMT
notAfter=Jun  4 07:15:48 2019 GMT

system · April 17, 2019, 10:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot reports renewal OK but Browser reports old cert still in use Server	12	2354	December 18, 2018
Let's Encrypt certificate expiration notice for domain Help	4	1992	February 18, 2019
Action required: Let's Encrypt certificate renewals but certbot shows OK Server	8	1313	February 28, 2019
Dry-run cert renewal shows incorrect challenge Server	7	2766	August 2, 2017
Apparent false TLS-SNI-01 notification emails Help	4	1230	February 28, 2019

Certwatch on Centos 6.9

Related topics