I’m using Let’s Encrypt with certbot and Apache on a Raspberry Pi with Raspian and IP6 only connection (DS lite) and forwarding via a fixed IP4 address (feste-ip.net). (Not sure whether the connecion matters at all… The IP6 address might change sometimes.)
Since a few months, my certificate expires rapidly every now and then (I can’t detect any pattern). Or at least the browsers say so, certbot requires --force-renewal, otherwise it’ll keep the outdated certificate as “not due for renewal”. I even scheduled cron to update with --force-renewal every other night for testing purposes, and I still get expired certificates. Today, it expired even though I manually updated the certificate just yesterday.
Date and time zone are set correctly on Pi and browser systems.
If you are required to --force-renewal “not due for renewal”, then you are not seeing the problem for what it is.
The cert is being renewed.
The problem is that your web server is not automatically restarting/reloading to use the new cert (when/after it renews).
You need to update your renewal process to include a web server restart or reload.
[or just schedule that once a week - regardless]
That might be a clue. But why does --force-renewal on the command line (temporarily) fix the issue even without Apache restart? Does it restart the server only in that case, i.e. not when invoked as cron job (with -q option) or without --force-renewal?
Anyway, will try whether scheduling a server restart after the certbot will help.
I've never seen that to happen that way.
There might be something included in the /etc/letsencrypt/renewal-hooks/deploy/ folder that restarts your web server after each issuance.
I assumed a restart could somehow be connected to the verification tasks. That could - to me - also explain why the “new” certificates expire so soon as well: It’d be the one that’s currently available, i.e. newer than the one of the last server restart, but not yet the one from after the enforced renewal. Still, in that case, a server restart afterwards would help.
There’s nothing in the renewal-hooks/deploy folder.