Question about renewal cronjob

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.burr.cc

I ran this command: N/A

It produced this output: N/A

My web server is (include version): httpd-2.2.15-69.el6.centos.x86_64

The operating system my web server runs on is (include version): centos-release-6-10.el6.centos.12.3.x86_64

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.37.1

QUESTIONS:
Following the instructions at
https://certbot.eff.org/lets-encrypt/centos6-apache
I obtained and installed a certificate. It appears to be working. I no longer have my old self-signed certificate and now have one apparently signed by “AVG Web/Mail Shield Root” ?? (I really hope that is correct. If not, I have NO idea where that came from! But it appears to be good for the expected 90 days.)

Anyway, the next step is to install a cronjob:
0 0,12 * * * root python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && /usr/local/bin/certbot-auto renew

This cronjob runs twice a day, at midnight and noon, every day. It waits a random time up to an hour and performs a renewal.

Why, if the certificates last 90 days, do I need to renew it twice a day?

Do I need to add code to also restart apache after each renewal so it loads in the new certificate?

Ok, nevermind. I finally found the documentation on this.

Renewing Certificates

while I was looking for something completely different, of course. :slight_smile:

2 Likes

Hi @egburr,

Welcome to the community forum!

I too can see the proper cert being served now via

$ echo | openssl s_client -connect www.burr.cc:443 -servername www.burr.cc 2>/dev/null | openssl x509 -noout -issuer -startdate -enddate
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
notBefore=Aug 13 05:56:16 2019 GMT
notAfter=Nov 11 05:56:16 2019 GM

I like to use apachectl -S for debugging apache vhosts.

Best of luck out there!

2 Likes

That's definitely not from Let's Encrypt. Assuming the name is accurate, it's coming from your Avast or AVG antivirus software.

Since HTTPS prevents anything -- including other software on your computer -- from examining your traffic, to "protect" you, some antivirus software will proxy all of the HTTPS traffic, decrypt it, do whatever, then encrypt it again using a "fake" certificate issued by a custom root installed by the antivirus software on your computer.

In some implementations, the fake certificate will copy the validity dates and other metadata from the real certificate.

If you're knowingly running some kind of Avast or AVG antivirus or firewall or security software, and have a feature named "Online Shield" or something turned on, it's to be expected, but it does make it more difficult to see what certificates websites are really using.

4 Likes

Ok, that’s interesting. I am running AVG Free on my PC, but only for the antivirus. I have the “web protect” part specifically turned off. I’ve never inspected other site’s certificates, but now I see all sites are showing up as that. Okay, fixed that, and now I see my proper cert issued by “Let’s Encrypt Authority X3”. Thanks!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.