Does the prompt about my domain not being close to expiry ever go away?


#1

My domain is: test12345678.com

I ran this command: certonly

It produced this output:
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu server

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am setting up a cron job to renew my certs. I renewed today, manually, before writing a script and testing it out. When I tested it, I was greeted with the prompt above, warning that my domain wasn’t close to expiry.

I want to be sure my script runs smoothly. I also don’t want to abuse the letsencrypt servers by renewing too often. Can someone tell me if and when that prompt ceases so I can set up my script correctly?

Thanks!


#2

Hi,

Just to say… the correct command for the renew process should be certbot renew or certbot-auto renew instead of certonly.

Also, the renew(auto) will only process with the same way you requested the initial cert. (Ex. If you use dns-01 for wildcard, certbot can’t auto renew for you now since it’s manually requested)

Thank you


#3

Yes, certbot renew is designed to be run at least once per day so that it will attempt to renew beginning at an appropriate time (and retry if the attempt fails—but not if it succeeds).

The appropriate time from Certbot’s point of view defaults to 30 days prior to expiry (hence, 60 days after initial issuance). We encourage you not to try to make cron jobs that only run when you expect the renewal to occur, but instead to trust certbot renew's logic and run it relatively frequently, whether or not a renewal is due. I can go further into the reasons for this if you’re interested, but they mainly have to do with the possibility of transient failures in renewal attempts, and the possibility of eventually having many different certificates installed on the same system with different expiry dates.

The note about

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.

will go away when the certificate is renew_before_expiry away from expiry (by default, 30 days). For occasions when the question may appear, you can hardcode an answer 1 to the question prompt with --keep-until-expiring and you can hardcode an answer 2 with --force-renewal, but we don’t encourage anyone to put that in cron because cron jobs with --force-renewal run a significant risk of producing too-frequent and/or too-infrequent renewals, as well as hitting rate limits from the former.


#4

Thanks for the reply.

I tried with renew prior to switching to ‘certonly’. I got an error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

That being said I may have messed up the configuration of the command. I am running the certbot docker container to renew and after reviewing the command I used, I may have configured my volumes incorrectly.

This is the command I ran using the renew verb which gave me the error.

docker run -t --rm \
  -v xxxxx:xxxxx \
  -v xxxxx:xxxxx \
  deliverous/certbot \
  renew \
  --webroot --webroot-path=/xxxxx \
  -d test12345678.com

If the docker volumes are not pointing to the correct path would that prompt the above error?


#5

It doesn’t need (or allow) the other options. Just run “deliverous/certbot renew”. The domains and web root and so forth are stored in /etc/letsencrypt.

You can also run “deliverous/certbot renew --dry-run” to test renewing at any time. It will take all your certificates, whether they will expire soon or not, and try to issue fake certificates from the Let’s Encrypt staging environment, and either discard the fake certificates (without damaging or updating your existing certificates) or tell you if any of them failed.


#6

All sorted out. Thank you!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.