Renew_before_expiry variable

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: umich.edu

I ran this command:

It produced this output:

My web server is (include version): I installed certbot for certs on mysql database

The operating system my web server runs on is (include version): redhat 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.0.0

Hello All,

I did not set the renew_before_expiry = 30 days in the renewal conf file , It was commented out . I guessed the default renewal should have been 30 days before the cert expires . However , all the certs which are expiring this August 2025 are already renewed by the certbot this April which is almost 3-4 months in advance . I do not remember setting any renewal period during the cert install . May I know the exact reason this happened and can I just change the renew_before_expiry to 30 days without any server reboot or restart of anything?

Thank you

There was a change in Certbot v4.0 which changed the default renewal period.

See: certbot/certbot/CHANGELOG.md at main · certbot/certbot · GitHub

Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime left, if the lifetime is shorter than 10 days). This is a change from a hardcoded renewal at 30 days before expiration. The config field renew_before_expiry still overrides this default.

Those wouldn't have been Let's Encrypt certs - were they? Because LE certs expire after 90 days and only recent ones would expire in Aug.

Were those certs from some other CA that lasted 1 year? Because 4 months advance renewal seems right for that based on Certbot's new default.

You should be able to change the Certbot renewal setting as described in the release notes.

3 Likes

Thank you Mike, yes its from a different CA (Incommon) . I was only wondering if this 4 months early renewal something in the certbot config that I should look into .

Thank you

2 Likes