Making sure auto-renewal is enabled with certbot

Help
1

About 3 months ago I generated SSL connection to a my server that is being hosted on an EC2 AWS Ubuntu instance, using certbot and nginx.
according to the tutorial I followed, I remember that the cert should auto renew.
Yesterday I got an email from LetsEncrypt saying that my cert is about to expire and I wonder if its just a warning that has nothing to do with the auto renewal process.

So I just want to make sure that auto renewal is on.
Can anyone confirm it from the output I've added?

My domain is: wordle.idoband.xyz

I ran this command: sudo systemctl status snap.certbot.renew.service

It produced this output:

○ snap.certbot.renew.service - Service for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
     Active: inactive (dead) since Fri 2023-09-15 19:13:05 UTC; 13h ago
TriggeredBy: ● snap.certbot.renew.timer
    Process: 240429 ExecStart=/usr/bin/snap run --timer=00:00~24:00/2 certbot.renew (code=exited, status=0/SUCCESS)
   Main PID: 240429 (code=exited, status=0/SUCCESS)
        CPU: 1.939s

Sep 15 19:05:11 ip-172-31-34-84 systemd[1]: Starting Service for snap application certbot.renew...
Sep 15 19:13:05 ip-172-31-34-84 systemd[1]: snap.certbot.renew.service: Deactivated successfully.
Sep 15 19:13:05 ip-172-31-34-84 systemd[1]: Finished Service for snap application certbot.renew.
Sep 15 19:13:05 ip-172-31-34-84 systemd[1]: snap.certbot.renew.service: Consumed 1.939s CPU time.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

2

Looking at the systemd timer, it looks like Certbot tries to renew. But looking at the fact you don't have a recently issued certificate, it seems renewal is broken.

You can look at the most recent log in /var/log/letsencrypt or simply run sudo certbot renew and see what the output is.

2 Likes
3

@Osiris thanks for the quick reply.

I tried running sudo certbot renew like you suggested.
I'm fairly new to this so I'm not sure what to do next.

This is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/private-garden-server.idoband.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/private-garden-server.idoband.xyz/fullchain.pem expires on 2023-12-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like
4

Can you show the output of sudo certbot certificates ?

1 Like
5

Sure, this is the output of sudo certbot certificates:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: private-garden-server.idoband.xyz
    Serial Number: 4bc2f0b621285e13648f2a4ef4dd1273fc3
    Key Type: ECDSA
    Domains: private-garden-server.idoband.xyz
    Expiry Date: 2023-12-14 18:13:01+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/private-garden-server.idoband.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/private-garden-server.idoband.xyz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I'm not sure about this, but one thing that I find strange is that the domains name is not the same as the domain I am actually using for my server which is stated in my original post message.

6

Probably someone deleted it. You should re-use the command you initially used to get a certificate for your hostname.

1 Like
7

What do you mean someone deleted it? :sweat_smile:
Just to clarify, the connection work properly at the moment.
I am just concerned about the auto renewal.

8

Well, if there ever was a certificate for wordle.idoband.xyz known to Certbot, it's gone now.

Maybe a different ACME client beside Certbot was used to issue that certificate?

At the moment, wordle.idoband.xyz doesn't even resolve to an IP address. The authorative DNS servers for idoband.xyz are replying with NXDOMAIN, so the subdomain wordle is not known to them.

Well, Certbot isn't going to renew a certificate that's not known to Certbot.

9

Ok I found a mistake of mine so lets recap.

The automated warning email regarding cert expiration I got is for the domain ' wordle.idoband.xyz'.

However, I forgot that I changed the domain and issued a new cert a couple of months ago for 'private-garden-server.idoband.xyz'.

So you are correct by saying someone deleted it, it was me a couple months ago :rofl:.
Sorry for the mistake.

  1. Why would I get a warning for a non-existing cert?
  2. Looking at the output of sudo certbot certificates , I can see it expires in 89 days:
    Expiry Date: 2023-12-14 18:13:01+00:00 (VALID: 89 days), so keeping in mind the every cert only lasts for 90 days, it means that the renewal occurred yesterday? :thinking:
10

How would Let's Encrypt know the certificate is non-existing?

Yup.

2 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.