Received renewal email, certbot renew says none to renew

gossamer · April 14, 2017, 2:00pm

Please fill out the fields below so we can help you better.

My domain is: www.segtravel.com

I ran this command: certbot renew

It produced this output:
Cert not yet due for renewal

My operating system is (include version):
fedora 25

My web server is (include version):
cert created with certonly

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I used the follow command to create the cert:
certbot -d www.segtravel.com --manual --preferred-challenges dns certonly

How can I use certbot to renew a domain with this configuration? How can I use certbot to print out on the command-line the cert expiration times for all the certs I have created?

ahaw021 · April 14, 2017, 2:49pm

Hi @gossamer

https://certbot.eff.org/docs/using.html

Managing certificates

To view a list of the certificates Certbot knows about, run the certificates subcommand:

certbot certificates

This returns information in the following format:

Found the following certs:
Certificate Name: example.com
Domains: example.com, www.example.com
Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Andrei

ahaw021 · April 14, 2017, 2:51pm

I can see that you have a certificate issued for https://crt.sh/?id=109698956

By default certbot won’t renew certificates until they are close to expiry

You can review the renewal configuration from etc/letsencrypt/renewal folder

Andrei

gossamer · April 14, 2017, 3:51pm

I already received an email informing me it’s due for renewal. If it expires in nine days, when will I be able to renew it?

Is it possible to extend the time valid to more than 50 or 60 days? Or is this something I should expect to do every few months? With more than ten certs, this could become time-intensive.

jmorahan · April 14, 2017, 4:50pm

Let's Encrypt checks whether your certificate has already been renewed, by checking if you've got a new certificate for the exact same set of domains. According to crt.sh, your old certificate covered both segtravel.com and www.segtravel.com, while your new one covers www.segtravel.com only. (The covered domains for each certificate are listed under "X509v3 Subject Alternative Name"). This isn't considered to be a "renewal" as it's a certificate for a different set of domains, which is why the email was sent.

If you only wanted a certificate for www.segtravel.com you can safely ignore the email. If you wanted a renewed certificate for both domains, you can obtain one by running the certbot command again, but this time specifying the full list of domains you want covered, e.g.:

certbot -d www.segtravel.com -d segtravel.com --manual --preferred-challenges dns certonly

Let's Encrypt certificate are actually valid for 90 days, but can't be extended any longer than that. To avoid spending time on renewals, you could maybe try a different validation method (e.g. webroot), or perhaps a different client (e.g. acme.sh), so that you can more easily automate the renewal process.

gossamer · April 14, 2017, 7:30pm

Thanks so much for spending the time to put this together. I’ll recreate the cert instead for both domains.

system · May 14, 2017, 7:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.