SSL Cert seem Auto Update how?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ran this command:
NO Command run last time its renew on 20 April now its show us 17 June issue date we did not do anything how it can be possible it updated ?
It produced this output:

My web server is (include version):
The operating system my web server runs on is (include version):
ubuntu 16.4 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Certbot 0.26.1

we got this :SSL/2: SSL handshake failure

Hi @Anwaar

checking your domain there are four certificates (

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-06-17 2019-09-15
1 entries
Let's Encrypt Authority X3 2019-04-18 2019-07-17
1 entries
Let's Encrypt Authority X3 2019-01-21 2019-04-21
1 entries
Let's Encrypt Authority X3 2018-10-24 2019-01-22
1 entries

And you use the last:
expires in 54 days - 1 entry

Looks good, a working configuration with a working renew. :+1: has a http status 404 - but the url looks like a special url, not a website. So this isn't a problem.

SSL2 is deprecated. Where do you see that error? Perhaps ignore it.

I can understand 2019-04-18 2019-07-17 start and end time
Let’s Encrypt Authority X3|2019-04-18|2019-07-17||

“”“how this happen ? we did not do anything on 17-06-2019 how this cert can be updated if we still have
2109-04-18 to 2019-07-17
15.09.2019 . “””

where we did mistake

Every correct Letsencrypt-client installation should have an automatic check + cron job. So the certificate is renewed.

And your website - has the new certificate.

1 Like

no cron Jobs no commands we checked every thing logs

You have a working certificate, it’s renewed. So there is no problem :heart_eyes::+1:

yes it working, strange thing if we still have time to expire how it is possible its renew or updated anyways thanks for quick reply much appreciated

if you can please give me few point what is the possibilities to have this kind of cert update or where i need to check why this is updated ?

It could be a systemd timer rather than a cron job, since newer OS packages use this method instead.

@schoen i can see this entry
Wed 2019-07-24 06:51:25 UTC 14h left Tue 2019-07-23 15:01:35 UTC 1h 1min ago certbot.timer certbot.service

what this suggest ?

It is running autorenewal checks from systemd based on the Certbot package setting this up.

This is intended behavior because most people’s experience with Certbot will be much better if it automatically renews certificates for them. Your system was set up to do this automatically when you first installed Certbot, using the systemd timer mechanism instead of cron.

thanks for time to sort my issue here i have few question
1- we can renew cert any time ?
2- if we have 25 days left can we renew the cert ?
3- is we need to enable this certbot.timer certbot.service as we dont renew certs auto

You can renew the certificate at any time. It doesn’t matter how close it is to being expired or not. The only restriction is that you can’t renew the certificate more than five times in a single week.

Certbot will only renew certificates with certbot renew if they are less than 30 days from expiry. However, you can override this behavior by running with certbot renew --force-renew.

If you don’t want Certbot to autorenew certificates at all, you can set autorenew = False in the renewal configurations in /etc/letsencrypt/renewal, or request the certificates with the --no-autorenew option, or disable the systemd timer. (My recollection is that the first two options will cause certbot renew to ignore the certificate completely, which means you would also not be able to renew the certificates in question with certbot renew.)

1 Like

fantastic so nice of you

guys i need few points to avoid auto or regenerated certs

1- if certs renew before time (mistakenly or due to system auto options) need email
2- can i bond cert generated on my approval or autanctitcation no body can renew cert with out my permission ( any key . pass etc)
3 can we got mail if cert goinging to expire in 30 days ?

Kind of an odd requirement. You can use a service like CertSpotter to receive alerts when anybody issues a certificate for one of your domains: Cert Spotter - Certificate Transparency Monitor - Detect Security and Availability Problems

Well, look at it this way. In order for somebody to issue certificates without your authorization, practically speaking, they have to hack into your server or DNS host so they can perform the Let's Encrypt validation process.

The more locked-down your hosting and domain registration is, the better protected you are against unauthorized certificate issuance.

If you nominated an email address when Certbot prompted you for one, then yes, you will receive multiple warning emails as your certificate approaches expiration.

1 Like

...but not one specifically at 30 days--I think the first one comes 20 days before expiration.

1 Like

Thanks _AZ for information and points

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.