Expiration date confusion

  1. SSlabs shows the cert expires Jul13;
  2. certbot renew results indicate a 9/24 expiration date
  3. This is the first time I am using DNS 01 update method (v HTTP 01).

My domain is: invystasafe.com

I ran this command: /usr/bin/certbot renew --dns-route53 --dns-route53-propagation-seconds 30

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/invystasafe.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/invystasafe.com/fullchain.pem expires on 2020-09-24 (skipped)
No renewals were attempted.

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Linux/Ubuntu 18.04LTS

My hosting provider, if applicable, is:AWS

I can login to a root shell on my machine (yes or no, or I don’t know):yes:

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

That means there is a valid and good cert locally on that system.

That means the web server is using a cert that will be expiring soon.

Put those two things together and it seems that your web server is NOT using the latest cert on your system.

This might be corrected by a simple web service restart/reload or may require some troubleshooting to determine which cert the web service is using and why it isn't using the latest one and of course then changing the config to use the latest cert file (and automating that entire process).

1 Like

Thank you. A simple server restart solved the issue.

2 Likes

Glad to her that :slight_smile:
But how about next time?
You should consider automating the entire process.
[which would include restarting/reloading the web service after each successful renewal]

In any case, you know what to do should it happen again.
Cheers from Miami :beers:

1 Like

100% in agreement.

So I was thinking of adding a crontab entry that would attempt the renewal every week, and if it was successful, to gracefully reload the server. Here’s the crontab entry:

0 5" * * 1 /usr/bin/certbot renew --dns-route53 --dns-route53-propagation-seconds 30 --deploy-hook "httpd -k graceful"`

Comments appreciated.

1 Like

There is an extra quote in that line.
And I would do that once a day; as it will not really do much at all the for the first 60 days of each cert.

1 Like

Please do not start the job at pill “0” minutes. Unfortunately many people do the same, creating peak load on the ACME server. Rather use a random minute in the range of 0-59. Even better, put a script into /etc/cron.daily directory if you run the job as root.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.