How to Update Update Cert 2 Days Before Expiry?


We’ve been running certbot-auto on a AWS Linux instance for several months now and it is automatically updating.

However, we recently encountered an issue where a few hours after an auto-update an an external SAML system started throwing errors saying “SAML Message has wrong signature”. After a few more hours, the problem disappeared.

I suspect the external system was caching old certificate information and if I could force certbot-auto to update the certificate 2 days before expiry, the problem may not happen again. However, I cannot find any info on the interweb.



Brett Sh

My domain is:

I ran this command: /opt/certbot-auto renew --no-self-upgrade

It produced this output: the usual…

My web server is (include version): NGINX 1.10.2

The operating system my web server runs on is (include version): Amazon Linux AMI release 2017.03

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.


The last renewal seems to have been done 30 days before expiration:

Not sure what the SAML problem may be, but it doesn’t look like it was related to the cert expiration; as the cert is still valid thru 2018/06/02.


Thanks for the super-quick reply :slight_smile:

My theory was obviously wrong. Although, I’m surprised the update is occurring after 60 odd days.


Incidentally, I did find where renewal is set.

In this file:

I found this line:
renew_before_expiry = 30 days

So, the default (our system at least) seemed to be 30 days.


Yes, when there is less than 30 days left it will attempt to renew.
Which is the default; so it should renew every 2 months.

[EDIT] The cron job should check twice a day but the trigger is 30 days or less left.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.