Renew says "Cert not yet due for renewal" though it is more than 30 days old


#1

When i run
/root/letsencrypt/letsencrypt-auto renew

i get the following response:

Processing /etc/letsencrypt/renewal/my-site.com.conf
------------------------------------------------------------------------------- 
Cert not yet due for renewal

Last time certificate was renewed on 9th of Sept. Today is 16th of Oct. and i still get this message when trying to renew.
Please also note that all the applications like: wget, docker, chrome-browser, firefox see this cert as expired while Let’s encrypt still insists it is “Not yet due for renewal”

I’ve managed to find out a work around by running:
/root/letsencrypt/letsencrypt-auto certonly -d my-site.com

after answering a few questions and INSISTING that i want to renew a cert that is not expired (i can do it 5-7 times a day), letsencrypt-auto finally managed to overwrite the outdated 9th Sept files with 16th Oct, but it is not expected behavior.


#2

This is usually because letsencrypt has renewed the certificate and downloaded it to the hard disk on your server ( so it is correctly saying it’s renewed ) however you haven’t reloaded / restarted your webserver - so it’s still using the old cert, and hence firefox etc correctly say it needs renewing ( because the webserver is still using the old one).

The solution is usually a reload/restart of the webserver.

Without your domain name though, I can’t be certain if this is the case for you.


#3

I wish it was the case. Unfortunatelly, i’m fully aware about the need to restart the server, more than that, my servers are docker-registry and docker-registry-auth which i fully recreate after running the renewal (they are stateless and the data is isolated). The issue is, that letsencrypt-auto does NOT refresh the cert files, and keeps the old ones with the 9th Sept timestamp saying they are valid. However, after running letsencrypt-auto certonly -d my-site.com i’ve managed to update the files. Then as you say, i just recreated docker-registry and docker-registry-auth containers and it all works now :slight_smile:

However, the “letsencrypt-auto renew” issue still remains unsolved. I guess, this happens because in most cases indeed people forget to restart the server, so the REAL bug is hidden by a similar issue.


#4

Can you provide your domain name so we can check this a bit further please.


#6

Since the certificate was renewed on the 9th Sept ( as you say ) - https://crt.sh/?id=31512597

Then the response of “Not yet due for renewal” would have been correct (that cert is still valid until 8th Dec, so not due for renewal until early November on a 30 day basis)

So I’m still assuming that, for some reason, your docker setup was not actually using the cert from the 9th Sept.


#7

Ahh, from your title I’ve maybe understood the missunderstanding.

Certbot / letsencrypt renews certificates when there are less than 30 days remaining in it’s valid life.

Your cert from 9 Sept is valid for 90 days ( until the 8 Dec). certbot will try and renew when there are less than 30 days left (by default) so it would renew on the 8 Nov … not 30 days after the certificate was issued.

i.e. it will ( currently ) renew every 60 days (90 -30 ) … not every 30 days.


#8

Not sure if this would help, letsencrypt has 2 folders:

  1. /etc/letsencrypt/live/my-site.com (with symlinks)
    and
  2. /etc/letsencrypt/arhive/my-site.com (with real certs).

The symlinks in the 1st folder seem to update the timestamp, but they point to the real files in the 2nd) folder wich remain with the old timesamp.


#9

It looks at the content within the file - not the timestamps.

Certs are only due for renewal after 60 days, not 30 though. So it was still valid and not due for renewal.


#10

Thank you, serverco !

I’ll keep my eyes on the issue and update you.


#11

Hi,
I received the renewal email for my certificate. But when I run certbot renew, it states that certs are not due for renewal yet.
I have 2 domain names in the same server and the certs are in /etc/letsencrypt/live/domain_name1 and /etc/letsencrypt/live/domain_name 2.
The last certs domain_name 1 timestamp is 12th Oct 2016 and The last certs domain_name 2 timestamp is 21st Sept 2016.
Are my certs renewed?
Thanks,
Jeremy


#12

@jeremy.loo, it would be more relevant to look at the content of the certificate:

openssl x509 -in /etc/letsencrypt/live/domain_name1/cert.pem -text -noout

openssl x509 -in /etc/letsencrypt/live/domain_name2/cert.pem -text -noout

Look for the Not After time near the top; that’s the expiration time of the cert that you’re currently using.


#13

Thank you…Expiry date for domain_name1 is 20th Jan 2017 & domain_name2 is 20th Dec 2016


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.