We have a automated task that runs every few weeks to make sure that certificates are up to date if they are not we use ACME-PS (PowerShell Gallery | ACME-PS 1.5.2) to update them
Recently the certificates have only been renewing for 7 days
I have tried running the script from other windows VM's and am getting the same issue the response that is coming back is only for 7 days
<# -- Script -- #>
Import-Module 'ACME-PS';
$acmeServiceName = "LetsEncrypt-Staging";
#Your email addresses, where acme services will send informations.
$contactMailAddresses = @($email);
# This directory is used to store your account key and service directory urls as well as orders and related data
$acmeStateDir = "C:\Temp\AcmeState";
# Create the state object - will be saved to disk
New-ACMEState -Path $acmeStateDir;
# Load URLs from service directory
Get-ACMEServiceDirectory -State $acmeStateDir -ServiceName $acmeServiceName;
# Retrieve the first anti-replay nonce
New-ACMENonce -State $acmeStateDir;
# Create an account key and store it to the state
New-ACMEAccountKey -State $acmeStateDir;
# Register account key with acme service
New-ACMEAccount -State $acmeStateDir -EmailAddresses $contactMailAddresses -AcceptTOS;
# This dns names will be used as identifier
$dnsIdentifiers = New-ACMEIdentifier $domain;
# Create a new order
$order = New-ACMEOrder -State $acmeStateDir -Identifiers $dnsIdentifiers;
For the same domain name i have tried setting up a Linux server with nginx and issues a certificate for that (not using the ACME-PS) and it issues it for the full 90 days
I don't quite understand. What do you mean 'is only for 7 days'? The validity of the certificate?
Also, please fill out the questionnaire which should have been presented to you when you opened this thread in the #help section:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
This is not possible with Let's Encrypt, but without your domain name (which you've now been asked twice to provide, but haven't) it isn't possible to track down what's going on.
And when you request that same cert tomorrow it will expire in 6 days.
You are not even showing the good from date - only the expiration [which seems to be unchanging].
So, renewing the cert is not the problem.
You need to check on why the service is not using the renewed cert.
The above is the first time i have requested a certificate for that domain
based of the other i have tried it with if i was to request it again tomorrow it would expire again in another 7 days
The service is using the new cert but my question is why is it only 7 days and not the normal 90
Could be some self signed cert is currently in situ and there actually is a problem with issuance. But the order linked above is still pending, so perhaps some issue with the ACME client.
That said, we're severely lacking in proper information here. The script in OP seems to be truncated.
Seems that the script is just saying that its got 7 days maybe this is for it to be authorized ? either way the certificate its self seems to be find once its finalized
Without seeing the actual output of the script without any human interpretation, we just have to take your word for it
My advice for any next time is to provide AS MUCH details as possible preferably copy/paste from outputs, including any log file with also as much details as possible instead of as little as in this thread which also seem to be tainted by human interpretation.
