LE64.exe question on renewals

Windows Server 2016


ZeroSSL Crypt::LE client v0.31

I have this set in Task Manager to launch every week, to check for cert renewal. Everything is running via batch files per my post on how to manually renew certs with DOS commands on this website.

My question is this: I thought that all cert applications look at the current cert before going out to renew it? My cert keeps getting renewed weekly in the last two or three weeks of each three month period. While this isn’t a huge problem, it is one that wastes bandwidth and CA server resources on one or two “renewals” that really aren’t required. Is there an update that fixes this? Or should I set the task to fire off every two weeks instead of once a week? The instructions I remember reading somewhere use “daily” as an example, so I can’t imagine this is normal operation.

Thoughts anyone?

Hi. The current version is 0.33, and even though I would recommend to upgrade to at least 0.32, there should be no issues with 0.31 in terms of checking for when to renew the certificate. The client does check for the certificate expiration against whatever you set as a value for the --renew parameter. As per the documentation:

  • If the certificate (which name is used with --crt parameter) is available locally, then it will be loaded and checked.

  • If the certificate is not available locally (for example if you moved it to another server), then an attempt to connect to the domains listed in --domains or CSR will be made until the first successful response is received. The peer certificate will be then checked for expiration.

One possible explanation for weekly renewals would be setting the renew value to something like 83 for example. Another is that the certificate is not available locally and the remote server at one of the domains the CSR or --domains points to sends back the certificate which is either expired or about to. If you send me the actual command line you are running, I could probably tell more about what might be wrong.

C:\ZE>type LE-cert-renewal.bat
le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,www.domain.com" --path \inetpub\wwwroot\.well-known\acme-challenge\ --unlink --renew 21 --issue-code 100 --live
if errorlevel 255 goto err
if errorlevel 100 call send-good-email-to-webmaster.bat
goto xit
call send-bad-email-to-webmaster.bat

Looking at this I see the renew value is pretty low and all I can think is that I wanted to give myself extra time to deal with any problems if it fails for some reason.

That looks right to me and 21 days before the expiration is not something that should result in a weekly renewal. The best way to understand why the certificate might be issued more often than that is to see in the log how the check was done (it would say whether it is checking against the local file or the remote server). If you do not redirect the output to some file, the best way to log the events is to create a log configuration file and use --log-config option to specify the full path to that file, as described in the documentation.

I think there was a miscommunication. My task is scheduled to fire off the batch file weekly. The task doesn’t care about anything but firing every 7 days. My question was about the LE64.exe application and why it doesn’t see that I have already renewed the certificate. It only seems to do it once, the week following a renewal. Then I get no emails until 3 months later when it renews–followed a week later by another renewal notice. then three more months, etc, etc. i’d like to eliminate that second renewal, because it actually does go out and grab a new cert and install it. i have SSL Spotter set up and I get two notices a week apart every three months, so I know it is getting a brand new cert each time.

As I mentioned above, the application checks for expirations using one of two methods. The rest depends on what you are doing with the certificate and when it gets actually installed on the domains you have issued it for. The logs would make it more clear as to what is actually happening.

Also regarding the Cert Spotter (if that is what you mean by SSL Spotter), if I get this right, it notifies about the change in the certificate transparency logs. If you have two issuances, it does not mean that it is LE64 client that issues both - you might have some other instance or client running for example. I had the case reported for example where the client was used and also there was one instance of certbot still running, so it worth checking if you might have set up something additionally (you could also suspend your current process before it's time for another issuance and see if you still get the notification from the spotter).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.