I thought LE certs expire in 90 days?!

Windows Server 2012 R2
IIS 8.5

I just ran the following command on the server in a console. The new cert was installed about ten days ago. Can someone explain what the issue is please?

le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,www.domain.com" --path \inetpub\wwwroot\.well-known\acme-challenge\ --unlink --renew 21 --issue-code 100
2017/06/20 10:46:26 [ ZeroSSL Crypt::LE client v0.23 started. ]
2017/06/20 10:46:26 Loading an account key from account.key
2017/06/20 10:46:26 Loading a CSR from mydomain.csr
2017/06/20 10:46:26 Checking certificate for expiration (local file).
2017/06/20 10:46:26 Too early for renewal, certificate expires in 1365 days.

Let’s ask @leader about this problem!

I’d move/remove:
\inetpub\wwwroot\.well-known\acme-challenge\mydomain.crt
and try it again.

This might happen if mydomain.crt was edited, leaving the issuer's certificate in it to be the first or only one (1365 is what you will see if you look at X3, which expires on Mar 17, 2021). If it is not the case, I might need to have a look at the crt file (no need for any keys) to try and reproduce this.

@rg305's advice in this case is correct by the way - moving out the certificate file to another place (or renaming it temporarily) would make LE to check the expiration using the web connection rather than local file, in which case local edits would not matter. However, since it is indeed would be too early for renewal, I would not recommend the "removal" of the certificate.

It would be good to have a look at the file as I mentioned to see if it's some genuine oddity of the specific environment. Even if it's not though, I will probably add some additional checks to detect the case of unusually long expiration being reported (whether because of the edits or anything else) and switch to checking it over the web-connection with appropriate warning issued.

2 Likes

I forgot I had edited the mydomain.crt file in an attempt to reverse the order of the domains listed from www.domain.com being first to domain.com instead, not knowing what the contents of the file represented. It didn’t make a difference I assume because that domain info is embedded in the certificate data itself and has nothing to do with the order in the file. I’m guessing that the two certs in that file are my domain and the letsencrypt intermediate cert? At any rate, I re-reversed the cert order in the file and now get what I was expecting:
le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,www.domain.com" --path \inetpub\wwwroot\.well-known\acme-challenge\ --unlink --renew 21 --issue-code 100
2017/06/21 09:19:01 [ ZeroSSL Crypt::LE client v0.23 started. ]
2017/06/21 09:19:01 Loading an account key from account.key
2017/06/21 09:19:01 Loading a CSR from mydomain.csr
2017/06/21 09:19:01 Checking certificate for expiration (local file).
2017/06/21 09:19:01 Too early for renewal, certificate expires in 72 days.

Thanks again for all the assistance!

Yes, indeed. Glad that it worked for you.

Also I just noticed that my initial cert creation command did not include an email because the https://zerossl.com/usage.html webpage didn’t show that parameter in its example. So I assume that means I won’t be getting reminder emails? Perhaps the --email parameter can either be required or show a warning message if left off?

You are right, even though --email is listed in the allowed parameters list shown if LE is run without any parameters specified, it is not given in the usage examples. The page will be updated to reflect that. Since the email is optional, I believe it would not be a good idea to force people entering it.

However, what will be done in the next version is an update of the email if it was not specified before, allowing you to start receiving emails. In case if some email was already set and different to what you have in parameters, you will be asked for the confirmation.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.