Letsencrypt renew does nut update due certificates

markb · January 9, 2017, 12:04pm

Please fill out the fields below so we can help you better.

My domain is:dev.volunteerly.org (multiple domains)

I ran this command:letsencrypt renew

It produced this output:
root@ubuntu:~# letsencrypt renew
Processing /etc/letsencrypt/renewal/dev.volunteerly.org.conf
Processing /etc/letsencrypt/renewal/myadmin.secure.volunteerly.org.conf
Processing /etc/letsencrypt/renewal/fb.secure.volunteerly.org.conf
Processing /etc/letsencrypt/renewal/webmail.tp3.dk.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/dev.volunteerly.org/fullchain.pem (skipped)
/etc/letsencrypt/live/myadmin.secure.volunteerly.org/fullchain.pem (skipped)
/etc/letsencrypt/live/fb.secure.volunteerly.org/fullchain.pem (skipped)
/etc/letsencrypt/live/webmail.tp3.dk/fullchain.pem (skipped)
No renewals were attempted.
root@ubuntu:~#

My operating system is (include version):Ubuntu 16.04 server

My web server is (include version): Apache/Nginx (ServerPilot setup)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Several of my certificates will expire on 31. january 2017 but still the letsencrypt renew command returns “not due” for any of the certificates.

I installed https://github.com/lesaff/serverpilot-letsencrypt on the server and the certificates works like a charm. (and thank you for that!) - but the renewal process fails.

Looking forward to your response.

Best regards,
Mark

serverco · January 9, 2017, 12:16pm

Hi Mark,

letsencrypt renew appears to have worked correctly ( new certificates were obtained for dev.volunteerly.org earlier this month - see https://crt.sh/?q=%volunteerly.org )

however you aren’t using the latest certificates that you have in your nginx. This could be for a couple of reasons.

You simply need to reload nginx to use the correct certificates.
You’re nginx config points to the certs at a different location than in /etc/letsencrypt/live… in which case you need to update that before reloading nginx.

markb · January 9, 2017, 12:20pm

Thanks for your quick reply!
I’ll have a look to see if my Nginx settings are correct, the server has been rebooted in the last month or so, so the new certs should have loaded.

Thanks again

serverco · January 9, 2017, 12:23pm

The latest cert for dev.volunteerly.org was on the 1st Jan

Not Before: Jan 1 16:00:00 2017 GMT
Not After : Apr 1 16:00:00 2017 GMT

so would need to have been restarted this month.

It looks as if you have reloaded nginx, as your server is now using the updated certs.

markb · January 9, 2017, 12:40pm

I reloaded nginx-sp and now the corrects certs are used.
So was 1.117 the first reissue of the certificates ?

(wondering if I need to implement some kind of server restart to avoid this in the future)

MitchellK · January 9, 2017, 12:43pm

Setup a cron job to do it all for you including reloading your web server.

serverco · January 9, 2017, 12:44pm

no - you can see the dates of the certs at crt.sh | %volunteerly.org

I'd suggest something like ...

letsencrypt renew --post-hook "service nginx reload"

markb · January 9, 2017, 12:45pm

As far as I can tell (and remember) the cert was issued nov. 2. 16 and would expire jan. 31. 17.
It would appear as if I should implement a automatic restart of Nginx service once a month.

Thanks for your great service!

MitchellK · January 9, 2017, 12:56pm

@serverco thanks that https://crt.sh/ is a very useful tool to add to the collection

serverco · January 9, 2017, 12:58pm

The other transparency report I find useful is google - https://www.google.com/transparencyreport/https/ct/?hl=en (usually a faster response, although doesn’t have as much detail)

MitchellK · January 9, 2017, 1:12pm

Cool stuff, thanks

markb · January 9, 2017, 1:13pm

@serverco Will the --post-hook “service nginx-sp reload” fire even if no certs was updated ?

serverco · January 9, 2017, 1:17pm

No, It should only run when a cert is renewed. From the documentation

–post-hook POST_HOOK
Command to be run in a shell after attempting to obtain/renew certificates. Can be used to deploy renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an attempt was made to obtain/renew a certificate.

MitchellK · January 9, 2017, 3:10pm

I think as @serverco mentioned to me via PM, running it as a cron as follows is better as it will not reload nginx or apache unless a renewal was done.

so then as simple as crontab -e

00 20 * * * sudo /opt/certbot/certbot-auto renew --quiet --post-hook "service nginx reload" ```

or

```MAILTO=youremail@wherever.com
00 20 * * * sudo /opt/certbot/certbot-auto renew --quiet --post-hook "service apache2 reload" ```

system · February 8, 2017, 3:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.