Renewing SSL Certificates

Hi,

My domains are:
api.ease-prod.sendgrid.tech
api.ease-staging.sendgrid.tech

They will expire on August 14 and August 17. How do I renew their certificates ?

My web server is (include version): N/A. I use custom app

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): another customer app.

Hi @michaelmn, and welcome to the LE community forum :slight_smile:

It seems that the renewals would be tied to the "custom" ACME client.
Is there any documentation or support for it?
If neither, then who obtained the current certs [and how]?

2 Likes

I don't have documentation on the "custom" ACME client. Why does renewing cert depend on the client ? I'd expect it would depend on Lets Encrypt since they generated certs in the first place.

issuer.yaml for my app is below. Does this mean the ACME client is https://acme-v02.api.letsencrypt.org/directory ?

spec:
acme:
email: ...
privateKeySecretRef:
name: ease-issuer
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- selector:
dnsZones:
- {{...}}
dns01:
route53:
region: us-east-1
hostedZoneID: {{ ... }}
accessKeyID: {{ ... }}
secretAccessKeySecretRef:
name: ...
key: ...

The team member who obtained the current certs is no longer on the team, so I do not know how they did it.

Because it's the client software the obtains the cert--and "renewing" a cert is simply issuing a new one. Ordinarily, client software is set up in such a way that it automatically renews the cert when it's due (usually about 30 days before it expires).

5 Likes

Could you be using the acme client cert-manager for Kubernetes? I guessed that because your DNS has records with k8s in them but also cert-manager uses yaml which looks like your sample. See here for its acme config docs

3 Likes

Yes, I am using the acme client cert-manager for Kubernetes. I scanned through its acme config docs at

https://cert-manager.io/docs/configuration/acme/#dns-zones

and I did not see a section to renew cert. Did I miss it ? Or is it in a different doc ?

Michael,

My understanding is that once cert-manager is setup it manages renewals automatically. So, perhaps something has gone wrong with that config.

You might try the section on using cmctl commands

Or,

Troubleshooting cert-manager

cert-manager github

3 Likes

Hi Mike,

My follow-up questions are

  1. With the expiration date coming up on August 14, how do I find out ahead of time that the cert-manager in Kubernetes already renewed the cert ?

  2. Let's Encrypt sent me the email below about renewing the cert. Does that mean Let's Encrypt detected that the cert-manager in Kubernetes did not automatically renew the cert for some reason ?

Thanks.

Michael,

A1. Renewals are normally scheduled 30 days in advance (of expiry date).
So... that would have been done on July 15th.
You can check what has been issued at:

A2. Not exactly.
It means that exact same set of name(s) on that cert hasn't been renewed.
It's sometimes possible that multiple certs have been issued that cover different (overlapping) sets of names. Only you can know for sure which certs are in use and which need to be renewed.
The notice is just that - a notice of a possible problem.

5 Likes

Maybe try the status displays described here:

3 Likes

I renewed my AWS access keys. Would the steps to renew the certs at the doc below work with Let's Encrypt ?

In the documentation at

There is a solution of deleting the secret first and then the certificate. When cert-manger created the certificate again it issued a new one.

However, as mentioned in that doc, its problem is you will be a few seconds without a valid certificate. And we need to avoid that in production.

Since I have re-activated the AWS keys that were used with the existing certs, what is the solution to renew them without down time ?

For instance, where do I specify "renewBefore" to I trigger the cert-manager to automatically renew the cert before the expiration date ?

Also, when I run
kubectl get certs

it shows the secret age of my domain is 1year as shown below. Is that different from its expiration date of August 14 ? How do I check the expiration date of my cert to see if it was renew ?

NAME READY SECRET AGE
api.ease-staging.sendgrid.tech True api.ease-staging.sendgrid.tech 1y

Thanks.

Michael,

1 Like

Those all sound like great questions for cert-manager and Kubernetes experts.

I think you'll be better served asking on their github or slack

3 Likes

According to crt.sh | api.ease-staging.sendgrid.tech your certificate renewed multiple times yesterday so I guess you have found out how to force renewal.

To check a certificate expiry date, the easiest method is to browse to the site using your normal web browser and click the padlock icon to see the certificate info (including expiry date). There are many other methods.

3 Likes