Problem automatically renewing certificate

Hello,

I have a certificate for wsv.gtbox.fr that expired today.

I however have a cron on my Ubuntu server to renew it automatically.

The cron does : /usr/bin/certbot renew --max-log-backups 31 --quiet --renew-hook /root/cert/store-renewed.sh

The cron ran fine, i can find the logs. Nevertheless, the certificate did nos renew and expired today.

I tried to launch /root/cert/store-renewed.sh manually and the certificate renewed well !?
Before i used /root/cert/certbot-auto to automatically renew but, as it seems to be deprecated, i replaced it by /usr/bin/certbot.

Do you have any idea why the "/usr/bin/certbot renew" did not renew the certificate.

Thanks in advance for any help.

Best Regards.

1 Like

Can you explain more why you think it expired?

I see your server sending out a cert that expires in 60 days.

I also see you have a wildcard cert that could be used instead.

Note I also changed your category to the general Help section.

2 Likes

Hello Mike,

Thank you for your answer and your help.

I had a message today on my web site (wsv.gtbox.fr, using Firefox) that specified that the certificate has expired. It was the same for wsv.madobox.fr.

As soon as i renewed it using my « /root/cert/store-renewed.sh » script manually , i had no more error. I guess that’s why you now see an expiricy time of 60 days ?

Best Regards,

Michel.

1 Like

No. New Let's Encrypt certs have an expiration of 90 days. I don't (yet) see a cert that was created today in the CT log. All certs show up there but sometimes there is a delay (in rare cases maybe even 24 hours).

I think you should test your renew like this and ensure it is working.

/usr/bin/certbot renew --dry-run

I do not see a --renew-hook option in the current docs. A --deploy-hook option is often used for action after a new cert is created.

2 Likes

Mathematically:
If an LE cert expired today, it would have been issued 90 days ago.
If it was issued 90 days ago, it should have been renewed after 60 days (30 days ago).
We do see a cert having been issued 30 days ago.
If the site was showing expired today, it wasn't using the cert that was issued 30 days ago.
If you ran a script that caused the web site cert to not show as expired (by serving a cert that was issued 30 days ago), you only need to:

  • ensure you include the script to restart (or reload) the web server
    either:
    after any cert has been issued
    or periodically [like once a week]
1 Like