Renewal renews on every run

I thought a certificate gets only renewed when it is close to expiry date.
How comes that I get a new certificate every 4 days ?
Is this caused because of a manual authenticator (DNS-hook, need for wildcart certs) ?
I am somehow puzzled now.

Renewal is managed by your ACME client. Without telling us more about your setup (which ACME client, which configuration, command lines, logs...) there's nothing we can say.

7 Likes

Probably your "renewal" command is actually forcing the renewals.
You can check certificate issuances at:
https://crt.sh/

There you will likely either see:

  • that five certs are being issued on that same day and that cycle is repeating weekly
    if so, this would indicate two things:
    a. your renewal is incorrectly using "the force" [renewing the cert way too early]
    b. your renewal schedule is too often - should only try twice a day

  • certs are actually being issued once per day but every four days your server reloads/restarts
    if so, this would indicate two things:
    a. your renewal is incorrectly using "the force" [renewing the cert way too early]
    b. your renewal schedule is not often enough - it should try twice a day

4 Likes

just have a look here:
https://crt.sh/?q=feten-nanny.de

My renew command looks like this (/etc/cron.d/certbot):

00 00 */4 * *   root /usr/bin/certbot renew -n && /usr/bin/systemctl restart apache2.service

My renewal config looks like that:

# renew_before_expiry = 30 days
version = 1.23.0
archive_dir = /etc/letsencrypt/archive/feten-nanny.de
cert = /etc/letsencrypt/live/feten-nanny.de/cert.pem
privkey = /etc/letsencrypt/live/feten-nanny.de/privkey.pem
chain = /etc/letsencrypt/live/feten-nanny.de/chain.pem
fullchain = /etc/letsencrypt/live/feten-nanny.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxx
rsa_key_size = 4096
key_type = ecdsa
elliptic_curve = secp384r1
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
manual_auth_hook = /root/bin/certbot-AutoDNS-hook -a add
manual_cleanup_hook = /root/bin/certbot-AutoDNS-hook -a rem

So maybe it has something to do with my AutoDNS-hook script ... but this is actually only adding/removing that `_acme-challenge? TXT record in DNS for verification.

Creation is done like that:

### for creating a wildcard certificate
certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges=dns\
  --manual-auth-hook '/root/bin/certbot-AutoDNS-hook -a add'\
  --manual-cleanup-hook '/root/bin/certbot-AutoDNS-hook -a rem'\
  -d feten-nanny.de -d '*.feten-nanny.de'

So now I am still lost.
Hopefully you have now a bit more info.
Thank you for any idea.
Chris

Are your certificates in persistent storage? People who use VM's or containers sometimes don't do that. They are then wiped out when containers restarted so a fresh cert is acquired (often). Or, if the server is often rebuilt fresh.

Your cert history looks like that pattern. You get a fresh cert every day until you hit the 5/week limit.

4 Likes

There are no certs wiped. All old files are still there.
It is not every day. Is is every 4 days (as defined in the cron job)

-rw-------  1 root root  306  1. Nov 00:07 privkey39.pem
-rw-r--r--  1 root root 5303  1. Nov 00:07 fullchain39.pem
-rw-r--r--  1 root root 3749  1. Nov 00:07 chain39.pem
-rw-r--r--  1 root root 1554  1. Nov 00:07 cert39.pem
-rw-------  1 root root  306  9. Nov 00:02 privkey40.pem
-rw-r--r--  1 root root 5303  9. Nov 00:02 fullchain40.pem
-rw-r--r--  1 root root 3749  9. Nov 00:02 chain40.pem
-rw-r--r--  1 root root 1554  9. Nov 00:02 cert40.pem
-rw-------  1 root root  306 13. Nov 00:03 privkey41.pem
-rw-r--r--  1 root root 3375 13. Nov 00:03 fullchain41.pem
-rw-r--r--  1 root root 1826 13. Nov 00:03 chain41.pem
-rw-r--r--  1 root root 1549 13. Nov 00:03 cert41.pem
-rw-------  1 root root  306 17. Nov 00:02 privkey42.pem
-rw-r--r--  1 root root 5298 17. Nov 00:02 fullchain42.pem
-rw-r--r--  1 root root 3749 17. Nov 00:02 chain42.pem
-rw-r--r--  1 root root 1549 17. Nov 00:02 cert42.pem
-rw-------  1 root root  306 21. Nov 00:06 privkey43.pem
-rw-r--r--  1 root root 5303 21. Nov 00:06 fullchain43.pem
-rw-r--r--  1 root root 3749 21. Nov 00:06 chain43.pem
-rw-r--r--  1 root root 1554 21. Nov 00:06 cert43.pem
-rw-------  1 root root  306 25. Nov 00:03 privkey44.pem
-rw-r--r--  1 root root 5298 25. Nov 00:03 fullchain44.pem
-rw-r--r--  1 root root 3749 25. Nov 00:03 chain44.pem
-rw-r--r--  1 root root 1549 25. Nov 00:03 cert44.pem
-rw-------  1 root root  306 29. Nov 00:03 privkey45.pem
-rw-r--r--  1 root root 5303 29. Nov 00:03 fullchain45.pem
-rw-r--r--  1 root root 3749 29. Nov 00:03 chain45.pem
-rw-r--r--  1 root root 1554 29. Nov 00:03 cert45.pem

cert39 Info:

openssl x509 -noout -text -in cert39.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:b5:e6:f0:a8:85:47:b8:f2:7d:4b:96:7a:f5:14:9f:b0:7f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Oct 31 23:08:05 2023 GMT
            Not After : Jan 29 23:08:04 2024 GMT
        Subject: CN = feten-nanny.de
...

I still don't see where the force renewal comes from ...

What's inside /etc/letsencrypt/cli.ini?

5 Likes
#####################################################################
# Ansible managed
#####################################################################
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.
#
# Note that these options apply automatically to all use of Certbot for
# obtaining or renewing certificates, so options specific to a single
# certificate on a system with several certificates should not be placed
# here.

# Use ECC for the private key
key-type = ecdsa
elliptic-curve = secp384r1

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# For testing certbot you should make use of the 'staging/testing server'
# If everything is in order you must change back to production server.
#
# The staging/testing server
#server = https://acme-staging-v02.api.letsencrypt.org/directory

# The production server.
server = https://acme-v02.api.letsencrypt.org/directory

# Uncomment and update respectively to register with the specified e-mail address
email = root

# Uncomment and update respectively to generate certificates for the specified
# domains.
# domains = www.example.com, example.com

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment to use the standalone authenticator on port 443
# If you want to use port 53, you must use preferred-challenges = dns
# If you want to use port 80, you must use preferred-challenges = http
# If you want to use port 443, you must use preferred-challenges = tls-alpn-01
# authenticator = standalone
# standalone-supported-challenges = http
#
# For requesting a non-wildcard cert use http, for a wildcard cert use dns
# preferred-challenges = http,dns

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /srv/www/htdocs

# Uncomment to automatically agree to the terms of service of the ACME server
agree-tos = true
# agree-eula = True
renew-by-default = True

# An example of using an alternate ACME server that uses EAB credentials
# server = https://acme.sectigo.com/v2/InCommonRSAOV
# eab-kid = somestringofstuffwithoutquotes
# eab-hmac-key = yaddayaddahexhexnotquoted
1 Like

That's your issue. Remove that line and the force renewals will stop.

7 Likes

OK, will do so.
Thank you :slight_smile:

Will this be better options then ?

keep-until-expiring = True
expand = True

Certbot's defaults are fine for the vast majority of use cases :slight_smile:. The recommendation is to set no options that you don't require (so neither of the above) and run the cronjob twice a day (and not once every 4 days).

7 Likes

It's probably best to keep cli.ini as empty as possible. See User Guide — Certbot 2.6.0 documentation to check if an option is actually already default set. If so, it doesn't make sense adding it to cli.ini.

And using renew-by-default (also known as --force-renewal) is almost never a good idea.

4 Likes

Yes, I agree. This probably came with a package update.
From cert.sh you can see when that mess started ... in Feb 2023.

cli.ini is cleaned up now.
Thanks for your great support :slight_smile:

3 Likes

A rose by any other name ...

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.