@schoen, certbot is being run every hour, but the certificate did not renew a month before expiry. Is there someplace that window may have been changed?
@Osiris, here is the full content of letsencrypt.py:
#!/usr/bin/python
import os
import time
import subprocess
command = [
"certbot",
"-n", "--agree-tos", # non-interactive
"-d", os.environ["HOSTNAMES"],
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
"certonly", "--standalone",
"--cert-name", "mailu",
"--preferred-challenges", "http", "--http-01-port", "8008",
"--keep-until-expiring",
"--rsa-key-size", "4096",
"--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py"
]
# Wait for nginx to start
time.sleep(5)
# Run certbot every hour
while True:
subprocess.call(command)
time.sleep(3600)
You can override it in /etc/letsencrypt/renewal but that's a very unusual action.
What happens if you just run certbot renew on the command line?
There should in any case be logs in /var/log/letsencrypt to show what's happening each time that Certbot is run.
That's actually the default behavior (it doesn't literally mean to wait until the last moment, it just means "don't force an immediate renewal each and every time Certbot is run" and contrasts with the --force-renewal option). The --keep-until-expiring will still default to renewing 30 days prior to the certificate's expiry.