MXToolbox Warning: A Certificate in the chain will expire within the month

I’m getting a warning when I test my server with mxtoolbox.com that says “A Certificate in the chain will expire within the month”.

The warning is because the current certificate will expire 8/21/2018 (today is 8/13).

My certificates are successfully generated by certbot. So, that’s not the issue.

Is there a way to configure my server so it renews a month before expiry?

I’m running letsencrypt.py on an alpine linux image (v3.7.0).

We recommend running certbot renew twice a day every day from cron. It will renew your certificates when they're a month from expiry.

There are many clients/files/libraries called letsencrypt.py. Which one are you using?

@schoen, certbot is being run every hour, but the certificate did not renew a month before expiry. Is there someplace that window may have been changed?

@Osiris, here is the full content of letsencrypt.py:

#!/usr/bin/python

import os
import time
import subprocess


command = [
    "certbot",
    "-n", "--agree-tos", # non-interactive
    "-d", os.environ["HOSTNAMES"],
    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
    "certonly", "--standalone",
    "--cert-name", "mailu",
    "--preferred-challenges", "http", "--http-01-port", "8008",
    "--keep-until-expiring",
    "--rsa-key-size", "4096",
    "--config-dir", "/certs/letsencrypt",
    "--post-hook", "/config.py"
]

# Wait for nginx to start
time.sleep(5)

# Run certbot every hour
while True:
    subprocess.call(command)
    time.sleep(3600)

I’m wondering if the --keep-until-expiring switch is what’s messing things up.

By the way, here is a ps dump just to show that letsencrypt.py is (and has been) running:

~/mailu$ docker-compose exec front ps
PID   USER     TIME   COMMAND
    1 root       0:00 /bin/sh -c /start.py
    6 root       0:00 nginx: master process nginx -g daemon off;
    7 root       0:00 {letsencrypt.py} /usr/bin/python /letsencrypt.py
    9 nginx      1:35 nginx: worker process
 1765 root       0:00 ps

You can override it in /etc/letsencrypt/renewal but that's a very unusual action.

What happens if you just run certbot renew on the command line?

There should in any case be logs in /var/log/letsencrypt to show what's happening each time that Certbot is run.

That's actually the default behavior (it doesn't literally mean to wait until the last moment, it just means "don't force an immediate renewal each and every time Certbot is run" and contrasts with the --force-renewal option). The --keep-until-expiring will still default to renewing 30 days prior to the certificate's expiry.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.