Help with expiration Mail


#1

Hi there,

i have a Let#s Encrypt certificate for my root server - but since one week i am getting expiration notices:

mail from 01.03 - will expire in 16 days
mail from 05.03 - will expire in 17 days
mail from 06.03 - will expire in 18 days
mail from 10.03 - will expire in 8 days

All mails point to the same domain - i use a Debian Server with autrenewal via CRON - found in a HowTo.

Each time i got this mail - i manualy started the CRON-Job getting finaly a message like this one from today :

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.xyz.com/fullchain.pem. Your cert
    will expire on 2016-06-08. To obtain a new version of the
    certificate in the future, simply run Let’s Encrypt again.
  • If you like Let’s Encrypt, please consider supporting our work by:

but i am still getting this expirations mail and i dont know why ?

did i miss something ?

thank you for your help

regards


#2

The auto-mailer isn’t aware of the fact you’ve already renewed your certificate.

By the way: if your renewal-script renews the certificate every time you run it, it probably isn’t set up right: the most logical thing for the renewal script to do is to check if renewal is really necessary.


#3

Thank you Osiris for the fast response :slight_smile:

this cron is running all 60 days :

cd /home/XYZ/letsencrypt/ && ./letsencrypt-auto certonly --email m@XYZ.com --agree-tos --webroot --renew-by-default -w /home/XYZ/public_html/ -d www.XYZ.com -d server1.XYZ.com -d XYZ.com --authenticator webroot && cp -f /etc/letsencrypt/live/www.XYZ.com/cert.pem /home/XYZ/ssl_certificates/cert.pem && cp -f /etc/letsencrypt/live/www.XYZ.com/chain.pem /home/XYZ/ssl_certificates/chain.pem && cp -f /etc/letsencrypt/live/www.XYZ.com/fullchain.pem /home/XYZ/ssl_certificates/fullchain.pem && cp -f /etc/letsencrypt/live/www.XYZ.com/privkey.pem /home/XYZ/ssl_certificates/privkey.pem

thats from the Tutorial i found, Is there a way to make it better ?


#4

There’s a few things you can do with that. The most important is to replace --renew-by-default with --keep so that the cert is not renewed if it has more than 30 days remaining (allowing the job to be run more often e.g. weekly).
Alternatively the renew command will handle everything according to the conf files in /etc/letsencrypt/renewal/ (allowing you to take all the parameters out).
Finally all the copy lines with one using a wildcard (help performance and makes it more readable).