When run certbot renew --dry-run all is fine (!). But command certbot renew:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/etcetc.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/etcetc/fullchain.pem (skipped)
No renewals were attempted.
The dry-run
certbot renew --dry-run produces:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/etcetc.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for etcetc
....
....
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/etcetc/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/etcetc/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
There is no problem at all, your certificate is still valid (certbot by default considers it needs to be renewed if at least left 30 days to the expiring date) so certbot renew command is not renewing it.
certbot renew --dry-run command is just simulating the renew, no matters whether the cert is near to the expire date or not.
You can check the validity of your cert with these command:
Contradiction: an e-mail say that I need to renew (!). See dump below.
e-mail.
Let's Encrypt Expiry Bot <expiry@letsencrypt.org> Unsubscribe
8:17 AM (3 hours ago)
to me
Hello,
Your certificate (or certificates) for the names listed below will expire in
9 days (on 20 Sep 17 10:59 +0000). Please **make sure to renew**
your certificate before then, or visitors to your website will encounter errors.
You can use certbot renew --force-renewal but if your domain is valid there is no need to force the renewal.
Well, I suppose you have issued certs for your domain and the email expiration notice if for one of the certs you are not using anymore, if you provide your domain name we can check the certificates you have issued.
No matters if you renewed your cert, if yoy issued one that is going to expire (so you received the email) you will receive more emails for that cert even if you current cert is renewed because the certs are different.
If you don’t want to share your domain name you can check the certificates issued for your domain in this page https://crt.sh