Checking certificates dates

PatricF · December 29, 2017, 10:23pm

I’ve taken a note that I need to renew 2 certificates for my site in two days. So i’ve run the command sudo certbot renew --dry-run with this output :

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cloud.atakama-studio.ca.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.atakama-studio.ca
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/cloud.atakama-studio.ca/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/atakama-studio.ca.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for atakama-studio.ca
http-01 challenge for www.atakama-studio.ca
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/atakama-studio.ca/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/cloud.atakama-studio.ca/fullchain.pem (success)
  /etc/letsencrypt/live/atakama-studio.ca/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

So from what I can see, they are not due for renewal ?

So i’ve run this command to check the dates

echo | openssl s_client -connect localhost:443 -servername atakama-studio.ca 2>/dev/null | openssl x509 -noout -dates

and here’s the output

notBefore=Dec  1 23:16:30 2017 GMT
notAfter=Mar  1 23:16:30 2018 GMT

So I’m not sure why it would still be good until mars 2018. I did not configure autorenew yet…

Any help to check that it will still be working in two days would be appreciated. Thanks !

_az · December 29, 2017, 10:26pm

Your site is behind a Cloudflare proxy, which is terminating SSL for you and doesn’t use your origin certificate (the Let’s Encrypt one).

That is why you have a different view of the validity period using s_client versus certbot.

If you want to check the validity period of your installed Let’s Encrypt certificate, then you need to connect directly to the origin, not to Cloudflare.

mnordhoff · December 29, 2017, 10:32pm

“certbot certificates” will display the certificates it’s managing, including expiration dates.

PatricF · December 30, 2017, 12:20am

I’ve configure SSL to «Full (strict)» in Cloudflare, isn’t that the right way?

PatricF · December 30, 2017, 12:22am

running the "certbot certificates" here’s the output :

Found the following certs:
  Certificate Name: cloud.atakama-studio.ca
    Domains: cloud.atakama-studio.ca
    Expiry Date: 2018-03-01 23:16:26+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/cloud.atakama-studio.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.atakama-studio.ca/privkey.pem
  Certificate Name: atakama-studio.ca
    Domains: atakama-studio.ca www.atakama-studio.ca
    Expiry Date: 2018-03-01 23:16:30+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/atakama-studio.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/atakama-studio.ca/privkey.pem

So it’s all good for 61 days i guess

mnordhoff · December 30, 2017, 12:39am

Yup.

It looks like your certificates were issued on 2017-10-03 and renewed on Certbot's typical schedule on 2017-12-02.

Either you have very good timing, or automatic renewal is set up. (It's automatic with many Certbot OS packages.)

PatricF · December 30, 2017, 1:06am

Alright, thanks for the help !

mnordhoff · December 30, 2017, 2:01am

By the way… I meant to link a list of your domain’s certificates:

https://crt.sh/?Identity=%atakama-studio.ca&iCAID=16418

system · January 29, 2018, 2:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot renew problem Help	29	6158	November 19, 2017
Help with renew Help	5	1409	November 6, 2016
Impossible renew? Help	6	3190	October 10, 2017
Cert not yet due for renewal Help	3	2658	December 26, 2018
Error while renewing the certificate Help	13	3718	August 20, 2017

Checking certificates dates

Related topics