Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 06 Sep 20 05:25 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.
I tried to run sudo certbot renew --dry-run and got this result:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/site.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/site.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I checked and I don’t have a crontab. But I do have this when I run systemctl list-timers:
Mon 2020-08-17 23:56:24 UTC 14h left Mon 2020-08-17 03:56:57 UTC 5h 31min ago certbot.timer certbot.service
How can I make sure that it will indeed auto renew? I would assume it normally would but the email got me thinking it may not and I would really prefer avoiding to let a certificate expire on a live website (it happened to me before - better safe than sorry).
Well, you did a dry run, which is a test and not an actual renewal. The notice doesn’t guarantee that your certs won’t auto renew, but since the auto renew normally occurs 30 days prior to expiration, I’d say that you’re not set up to auto renew.
Thanks. How can I check that it’s set up to do so in the stuff listed with systemctl list-timers? I can see that certbot.timer certbot.service is run regularly, but I don’t know how to see what it does.
I’m gonna be honest with you on this. I’m not a certbot guy. I wrote and use my own client manually. I know enough to answer many things about certbot, but for the timer part hopefully one of the certbot gurus will come around shortly.
By the by, you might also find https://crt.sh to be useful for checking your certificate issuances and expiration dates. I know you hid your domain name here, but certifications are a matter of public record on https://crt.sh. We’ve had everything from government institutions to fetish porn sites ask for help here, so no worries about judgment.