I have a certificate for wsv.gtbox.fr that expired today.
I however have a cron on my Ubuntu server to renew it automatically.
The cron does : /usr/bin/certbot renew --max-log-backups 31 --quiet --renew-hook /root/cert/store-renewed.sh
The cron ran fine, i can find the logs. Nevertheless, the certificate did nos renew and expired today.
I tried to launch /root/cert/store-renewed.sh manually and the certificate renewed well !?
Before i used /root/cert/certbot-auto to automatically renew but, as it seems to be deprecated, i replaced it by /usr/bin/certbot.
Do you have any idea why the "/usr/bin/certbot renew" did not renew the certificate.
I had a message today on my web site (wsv.gtbox.fr, using Firefox) that specified that the certificate has expired. It was the same for wsv.madobox.fr.
As soon as i renewed it using my « /root/cert/store-renewed.sh » script manually , i had no more error. I guess that’s why you now see an expiricy time of 60 days ?
No. New Let's Encrypt certs have an expiration of 90 days. I don't (yet) see a cert that was created today in the CT log. All certs show up there but sometimes there is a delay (in rare cases maybe even 24 hours).
I think you should test your renew like this and ensure it is working.
/usr/bin/certbot renew --dry-run
I do not see a --renew-hook option in the current docs. A --deploy-hook option is often used for action after a new cert is created.
Mathematically:
If an LE cert expired today, it would have been issued 90 days ago.
If it was issued 90 days ago, it should have been renewed after 60 days (30 days ago).
We do see a cert having been issued 30 days ago.
If the site was showing expired today, it wasn't using the cert that was issued 30 days ago.
If you ran a script that caused the web site cert to not show as expired (by serving a cert that was issued 30 days ago), you only need to:
ensure you include the script to restart (or reload) the web server
either:
after any cert has been issued
or periodically [like once a week]
