Listing all certs on host


#1

I am a new to letsencrypt and I have a server whose certs need to be renewed (I received an email listing four certs that will be expiring). However, when I execute ‘certbot renew’, it finds only one. I cannot seem to locate the other three. Please advise how I can ensure that all certs get renewed. Is there a command I can use to view/verify the certs?

Thanks


#2

Are you sure it’s really four different certificates expiring ? If you received only one email with a list of four names in it, that’s just one certificate it’s warning about.

Modern certificates can have up to one hundred names in them, listed as SANs (Subject Alternative Names). It’s the whole certificate which expires, not the names. So if you really only had one certificate, you only need to do one renewal.

If you’re not sure, you can tell us the names, and we can check.


#3

Thank you!

Looking at the webserver config, I think it is just one, as you explained. However, I am new to this so, if you would not mind verifying for my peace of mind, I would be extremely grateful.

api-buildbot.xometry.net
erp-buildbot.xometry.net
get-buildbot.xometry.net
work-buildbot.xometry.net

Also, when I renewed, it is only for 60 days. Is there any way I can renew for longer? I think the suggested way is to enable auto renewal? Should I do this using the ‘certbot’ command or the ‘letsencrypt’ command?

Finally, would you advise how I can get the email address that notifications are being sent to changed?

Thank you!!


#4

Yes, all four names are the subject of a single certificate. The certificate I can see in a Monitor expires tomorrow, but the monitor can take several hours to catch up, so if you renewed successfully today all is probably fine.

Let’s Encrypt renewals are for 90 days, a certificate renewed today should result in a new certificate which expires in December, 90 days from now. You cannot obtain certificates from Let’s Encrypt which last longer, but you can arrange to run the “certbot renew” step once per day, and each time it runs it will notice if the certificate has only 30 days or less lifetime and renew it. You also probably want to have a “hook” set to reload your web browser, something like

certbot renew --post-hook /sbin/service apache reload

But of course the exact command needed in the hook might depend on your setup. If you don’t have any experience setting commands to be run periodically like this it’s really beyond the scope of this forum.

You should be able to run
certbot register --update-registration

to change the email address which gets sent notifications


#5

Thank you!!!

One more (and I promise, the last…) . How do I view the monitor?

Thank you!
Jackie


#6

Several independent monitors of the Certificate Transparency system exist, here’s one run by Google

https://www.google.com/transparencyreport/https/ct/

and here’s a very popular one with an easy to remember name run by Comodo

https://crt.sh/


#7

Thank you. Very much appreciate your assistance!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.