Impossible renew?

When run certbot renew --dry-run all is fine (!). But command certbot renew:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/etcetc.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/etcetc/fullchain.pem (skipped)
No renewals were attempted.


The dry-run

certbot renew --dry-run produces:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/etcetc.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for etcetc
....
....
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/etcetc/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/etcetc/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

Hi @ppKrauss,

There is no problem at all, your certificate is still valid (certbot by default considers it needs to be renewed if at least left 30 days to the expiring date) so certbot renew command is not renewing it.

certbot renew --dry-run command is just simulating the renew, no matters whether the cert is near to the expire date or not.

You can check the validity of your cert with these command:

openssl x509 -in /etc/letsencrypt/live/etcetc/cert.pem -noout -dates

or using certbot:

certbot certificates

Cheers,
sahsanu

Thanks @sahsanu! Well, there are some problems:

  1. Need for it: can I enforce renew?

  2. Contradiction: an e-mail say that I need to renew (!). See dump below.


e-mail.

Let's Encrypt Expiry Bot <expiry@letsencrypt.org> Unsubscribe
8:17 AM (3 hours ago)

to me 
Hello,

Your certificate (or certificates) for the names listed below will expire in
9 days (on 20 Sep 17 10:59 +0000). Please **make sure to renew**
your certificate before then, or visitors to your website will encounter errors.

You can use certbot renew --force-renewal but if your domain is valid there is no need to force the renewal.

Well, I suppose you have issued certs for your domain and the email expiration notice if for one of the certs you are not using anymore, if you provide your domain name we can check the certificates you have issued.

Cheers,
sahsanu

Thanks @sahsanu, the certbot renew --force-renewal worked fine.
It is for caution, and to stop contradictoring emails.

No matters if you renewed your cert, if yoy issued one that is going to expire (so you received the email) you will receive more emails for that cert even if you current cert is renewed because the certs are different.

If you don’t want to share your domain name you can check the certificates issued for your domain in this page https://crt.sh

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.