Does receiving an expiration notice means my certificates are not set for auto renewal?

Pedro5000 · August 17, 2020, 9:30am

I received an email stating the following:

Hello,

Your certificate (or certificates) for the names listed below will expire in 19 days (on 06 Sep 20 05:25 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

I tried to run sudo certbot renew --dry-run and got this result:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/site.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/site.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I checked and I don’t have a crontab. But I do have this when I run systemctl list-timers:

Mon 2020-08-17 23:56:24 UTC 14h left Mon 2020-08-17 03:56:57 UTC 5h 31min ago certbot.timer certbot.service

How can I make sure that it will indeed auto renew? I would assume it normally would but the email got me thinking it may not and I would really prefer avoiding to let a certificate expire on a live website (it happened to me before - better safe than sorry).

freessltools.com · August 17, 2020, 10:16am

Well, you did a dry run, which is a test and not an actual renewal. The notice doesn’t guarantee that your certs won’t auto renew, but since the auto renew normally occurs 30 days prior to expiration, I’d say that you’re not set up to auto renew.

Pedro5000 · August 17, 2020, 10:17am

Thanks. How can I check that it’s set up to do so in the stuff listed with systemctl list-timers? I can see that certbot.timer certbot.service is run regularly, but I don’t know how to see what it does.

freessltools.com · August 17, 2020, 10:19am

I’m gonna be honest with you on this. I’m not a certbot guy. I wrote and use my own client manually. I know enough to answer many things about certbot, but for the timer part hopefully one of the certbot gurus will come around shortly.

Pedro5000 · August 17, 2020, 10:22am

Fingers crossed.

freessltools.com · August 17, 2020, 10:23am

Exactly. There’s some really smart people around here with very specific knowledge. Usually in under a day you’ll have your answer.

_az · August 17, 2020, 10:33am

A common reason to get unexpected expiration emails is if you have added or removed domains from your certificate. You will receive multiple warnings as the previous certificate expires. (https://letsencrypt.org/docs/expiration-emails/#when-you-get-an-expiration-email).

The most important thing to pay attention to is:

Check the expiry date in certbot certificates
Check the expiry date in your browser

If both are more than 30 days away, then you have nothing to worry about.

freessltools.com · August 17, 2020, 11:11am

@_az
Do you think his timer is working though?

Pedro5000 · August 17, 2020, 11:49am

I didn’t remove or add any domain since I installed the certificate (around 2 month ago).

_az · August 17, 2020, 12:11pm

So what does certbot certificates report as the actual certificate expiry?

Pedro5000 · August 17, 2020, 11:46pm

Actually both are set to expire on November 5, so it looks like it’s ok. Thanks for the tip, I’ll know how to check that now!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Domains: example.com www.example.com
    Expiry Date: 2020-11-05 08:43:06+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

freessltools.com · August 18, 2020, 12:11am

By the by, you might also find https://crt.sh to be useful for checking your certificate issuances and expiration dates. I know you hid your domain name here, but certifications are a matter of public record on https://crt.sh. We’ve had everything from government institutions to fetish porn sites ask for help here, so no worries about judgment.

system · September 17, 2020, 12:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.