How to Update Update Cert 2 Days Before Expiry?


#1

We’ve been running certbot-auto on a AWS Linux instance for several months now and it is automatically updating.

However, we recently encountered an issue where a few hours after an auto-update an an external SAML system started throwing errors saying “SAML Message has wrong signature”. After a few more hours, the problem disappeared.

I suspect the external system was caching old certificate information and if I could force certbot-auto to update the certificate 2 days before expiry, the problem may not happen again. However, I cannot find any info on the interweb.

Suggestions?

Regards

Brett Sh

My domain is: mylink.stpetersgirls.sa.edu.au

I ran this command: /opt/certbot-auto renew --no-self-upgrade

It produced this output: the usual…

My web server is (include version): NGINX 1.10.2

The operating system my web server runs on is (include version): Amazon Linux AMI release 2017.03

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.


#2

The last renewal seems to have been done 30 days before expiration:
https://crt.sh/?q=mylink.stpetersgirls.sa.edu.au

Not sure what the SAML problem may be, but it doesn’t look like it was related to the cert expiration; as the cert is still valid thru 2018/06/02.


#3

Thanks for the super-quick reply :slight_smile:

My theory was obviously wrong. Although, I’m surprised the update is occurring after 60 odd days.


#4

Incidentally, I did find where renewal is set.

In this file:
/etc/letsencrypt/renewal/mydomain.com.conf

I found this line:
renew_before_expiry = 30 days

So, the default (our system at least) seemed to be 30 days.


#5

Yes, when there is less than 30 days left it will attempt to renew.
Which is the default; so it should renew every 2 months.

[EDIT] The cron job should check twice a day but the trigger is 30 days or less left.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.