Does receiving an expiration notice means my certificates are not set for auto renewal?

I received an email stating the following:

Hello,

Your certificate (or certificates) for the names listed below will expire in 19 days (on 06 Sep 20 05:25 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

I tried to run sudo certbot renew --dry-run and got this result:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/site.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/site.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I checked and I don’t have a crontab. But I do have this when I run systemctl list-timers:

Mon 2020-08-17 23:56:24 UTC 14h left Mon 2020-08-17 03:56:57 UTC 5h 31min ago certbot.timer certbot.service

How can I make sure that it will indeed auto renew? I would assume it normally would but the email got me thinking it may not and I would really prefer avoiding to let a certificate expire on a live website (it happened to me before - better safe than sorry).

1 Like

Well, you did a dry run, which is a test and not an actual renewal. The notice doesn’t guarantee that your certs won’t auto renew, but since the auto renew normally occurs 30 days prior to expiration, I’d say that you’re not set up to auto renew.

Thanks. How can I check that it’s set up to do so in the stuff listed with systemctl list-timers? I can see that certbot.timer certbot.service is run regularly, but I don’t know how to see what it does.

1 Like

I’m gonna be honest with you on this. I’m not a certbot guy. I wrote and use my own client manually. I know enough to answer many things about certbot, but for the timer part hopefully one of the certbot gurus will come around shortly.

Fingers crossed. :slight_smile:

1 Like

Exactly. There’s some really smart people around here with very specific knowledge. Usually in under a day you’ll have your answer. :smiley:

A common reason to get unexpected expiration emails is if you have added or removed domains from your certificate. You will receive multiple warnings as the previous certificate expires. (https://letsencrypt.org/docs/expiration-emails/#when-you-get-an-expiration-email).

The most important thing to pay attention to is:

  • Check the expiry date in certbot certificates
  • Check the expiry date in your browser

If both are more than 30 days away, then you have nothing to worry about.

1 Like

@_az
Do you think his timer is working though?

I didn’t remove or add any domain since I installed the certificate (around 2 month ago).

1 Like

So what does certbot certificates report as the actual certificate expiry?

2 Likes

Actually both are set to expire on November 5, so it looks like it’s ok. Thanks for the tip, I’ll know how to check that now!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Domains: example.com www.example.com
    Expiry Date: 2020-11-05 08:43:06+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like

By the by, you might also find https://crt.sh to be useful for checking your certificate issuances and expiration dates. I know you hid your domain name here, but certifications are a matter of public record on https://crt.sh. We’ve had everything from government institutions to fetish porn sites ask for help here, so no worries about judgment.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.