Checking certificates dates


#1

I’ve taken a note that I need to renew 2 certificates for my site in two days. So i’ve run the command sudo certbot renew --dry-run with this output :

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cloud.atakama-studio.ca.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.atakama-studio.ca
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/cloud.atakama-studio.ca/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/atakama-studio.ca.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for atakama-studio.ca
http-01 challenge for www.atakama-studio.ca
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/atakama-studio.ca/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/cloud.atakama-studio.ca/fullchain.pem (success)
  /etc/letsencrypt/live/atakama-studio.ca/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

So from what I can see, they are not due for renewal ?

So i’ve run this command to check the dates

echo | openssl s_client -connect localhost:443 -servername atakama-studio.ca 2>/dev/null | openssl x509 -noout -dates

and here’s the output

notBefore=Dec  1 23:16:30 2017 GMT
notAfter=Mar  1 23:16:30 2018 GMT

So I’m not sure why it would still be good until mars 2018. I did not configure autorenew yet…

Any help to check that it will still be working in two days would be appreciated. Thanks !


#2

Your site is behind a Cloudflare proxy, which is terminating SSL for you and doesn’t use your origin certificate (the Let’s Encrypt one).

That is why you have a different view of the validity period using s_client versus certbot.

If you want to check the validity period of your installed Let’s Encrypt certificate, then you need to connect directly to the origin, not to Cloudflare.


#3

certbot certificates” will display the certificates it’s managing, including expiration dates.


#4

I’ve configure SSL to «Full (strict)» in Cloudflare, isn’t that the right way?


#5

running the "certbot certificates" here’s the output :

Found the following certs:
  Certificate Name: cloud.atakama-studio.ca
    Domains: cloud.atakama-studio.ca
    Expiry Date: 2018-03-01 23:16:26+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/cloud.atakama-studio.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.atakama-studio.ca/privkey.pem
  Certificate Name: atakama-studio.ca
    Domains: atakama-studio.ca www.atakama-studio.ca
    Expiry Date: 2018-03-01 23:16:30+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/atakama-studio.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/atakama-studio.ca/privkey.pem

So it’s all good for 61 days i guess


#6

Yup. :smile:

Yup. :smile:

It looks like your certificates were issued on 2017-10-03 and renewed on Certbot’s typical schedule on 2017-12-02.

Either you have very good timing, or automatic renewal is set up. (It’s automatic with many Certbot OS packages.)


#7

Alright, thanks for the help !


#8

By the way… I meant to link a list of your domain’s certificates:

https://crt.sh/?Identity=%atakama-studio.ca&iCAID=16418


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.