Expired certs but certbot says "isn't close to expiry" on renew (also, no expire alerts emails)

Hi,

I am having some problems with expired certs. In my browsers, when any certs of my domains are expired, its alerts about it correctly.

Now, when I try to renew it with certbot, it says “isn’t close to expiry”. Also, I am not receiving emails alerts about expire (I’ve received in the past randomly, but seems not anymore. No matter if I change the email in certbot).

Attached screenshots.

My server is Ubuntu 16.04, installed certbot via PPA (https://launchpad.net/~certbot/+archive/ubuntu/certbot). One of my domains is gdnet.com.ar

Any Ideas?

Thanks in advance.

Adding second screenshot.

Hola @gusarg81,

You do have a successfully renewed certificate

https://crt.sh/?Identity=%gdnet.com.ar&iCAID=16418

but it looks like your server isn’t configured to use the new certificate. This could be a matter of simply restarting the web server, or it might be that the configuration of the web server is pointing to a different certificate.

You could start by running certbot certificates to check which Certbot-managed certificates you have, where they are located, and which domains they cover.

Hola!

I mean, now is using the renewed cert after I exec the renew cmd. I manage the certs via imscp web panel, which iirc, it restarts apache when you update the certs data.

certbot certificates:

...
Certificate Name: admin.gdnet.com.ar
Domains: admin.gdnet.com.ar
Expiry Date: 2018-10-01 17:23:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/admin.gdnet.com.ar/fullchain.pem
Private Key Path: /etc/letsencrypt/live/admin.gdnet.com.ar/privkey.pem
...

It looks good. If you use certbot certonly for renewal, it may not restart Apache for you after a certificate renewal, depending on the particular configuration of installers and deploy-hooks in your Certbot setup.

Well, I know that, is why my panel software do that for me (it restarts apache) when I update certs data.

Also, any idea why is happening that certbot says that isn’t expired when is really expired? Also any idea why emails alerts are not sending? (there is no sign that my email server is blocking that email either).

Thanks! Gracias!

I think this is probably because the web server is still using the old certificate until you restart the web server. The new certificate already exists on disk, but isn't being used yet. Certbot has no way to know whether the new certificate is active or not.

I think that this is because the renewal was successful but the new certificate wasn't in use. The Let's Encrypt CA does not monitor sites to see whether or not they are using particular certificates. So renewal reminders are only based on which certificates have been issued, regardless of whether the newly-issued certificates are successfully deployed.

If you want to have your site monitored to ensure that an appropriate certificate is in use, you might also want to sign up with a web site monitoring service.

Mmm I don’t understand, because once renewed certs and added to my isp panel (which does not point to letsencrypt cert folders, but updates it in another file) the web server get restarted, otherwise my browser would continue to indicate that is expired and is not after doing all this hole renew process.

You said that the new certificate worked properly after you restarted Apache, right? If that's so, isn't it likely that Apache wasn't restarted automatically before that?

Mmm no, maybe I was not clear, Sorry :frowning:

When I saw the message in my browser, I didn’t renewed the certs yet. So everytime I see this message in my browser, I proceed to renew via certbot, but certbot always says “… ins’t close to expire” (this is not the first time btw).

And this is the only alert I have since I don’t receive expire notification (and of course I not checking all the time expire time from all certs… or I would have to write a script…) :S

What action did you take that caused the site to begin working again?

Let’s Encrypt certificates are valid for 90 days; by default, Certbot renews them every 60 days.

https://admin.gdnet.com.ar/ was using this certificate: 2018-04-04

Certbot automatically renewed it on schedule, on 2018-06-03.

Apparently, the web server wasn’t configured to use that certificate. Or it was configured to, but had not yet been reloaded.

At that point, since Certbot has renewed the certificate, if you run “certbot renew”, it will say that the certificate doesn’t need to be renewed.

Today, another certificate got issued, 2018-07-03, and the website is now using it.

It sounds like Certbot is managing certificate renewal, but somehow the web server is never using the new certificates. Then when the old certificate expires, you notice the error, force Certbot to issue an extra certificate, and then update the web server.

As far as Certbot and Let’s Encrypt are aware, your certificates are being renewed 30-60 days before expiration, and they’re never close to expiring.

You need to do one or both of:

  • Set up monitoring to warn you if your websites are using certificates that are going to expire soon.
  • Configure Certbot, the control panel, and the web server to automatically use the new certificates that Certbot issues.
1 Like

Ahhh Ok! I didn’t know that certbot renews it automatically. Then Now I know where is the problems. Since my isp panel software does not use directly the files generated by certbot/letsencrypt and here is why.

There is not way to setup this in my isp panel software (If i want that, I would have to pay for a paid script plugin they have). So I will write a simple python script to check expires dates everyday.

Just in case, certbot has any tool to exec a script after renew? I see the folder /etc/letsencrypt/renewal-hooks/post and maybe is for this? I will read the docs.

Yes. :slightly_smiling_face: You should use a deploy hook, but a post hook would work too.

https://certbot.eff.org/docs/using.html#renewing-certificates

1 Like

Perfect!! Thanks a lot!

EDIT: Managed to create the hooks (which a generic bash script for all domains, which first updates the certs on my isp panel files and later restarts apache) and wrote a python script to notify me certs about to expire :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.