Strange behaviour certificate expire dates

I have a strange behaviour and don't really what to do :(.

So it's the second reminder emila I get that one of my domain certificates is going to expire,

However when I run 'sudo certbot renew' it says skipped domain expires 02/11/2023 (dd/MM/yyyy).
When I go to my domain in chrom and check the certificate option it also says 02/11/2023.

So in both locations it give me the same date and therefore i'm pretty sure I don't have anything to do.
However i'm kinda confused why that I got the reminder email that one of my domains certificate is about to expire on 22/11/2022.

Domain : git.timclinckemalie.me

Any ideas?

You mean MM/dd/yyyy? Or 11/02/2023? Because there is no certificate expiring on 2 November 2023: crt.sh | git.timclinckemalie.me

Also, I cannot see a cert for that hostname expiring on 22 November 2022. Can you please share the entire and complete email you received?

3 Likes

I meant 02/11/2023 in dd/MM/yyy format, so for us that should be 2023-11-02.
In the mail it says 23 nov 2022 meaning withing 9 days.

Ow yeah sorry I meant february 11/02/2023 in dd/MM/yyyy so for US that is 2023-02-11.

1 Like

So indeed the certs will expire at 23 November (not 22 as in your opening post).

The email is regarding:

However, these three certs have been renewed today at 16:05 and 16:06 UTC (the Not before date/time in the certificate is backdated one hour):

Your email is from 16:57, but I don't know which time zone that is. Looking at the Date header from your webserver, you're in UTC+1. So that would mean your email was send at 15:57 UTC. At that time, your certificates weren't renewed, so the email was justly send.

So I'm a little bit confused what the "strange behaviour" is exactly? Your certificates weren't renewed. Let's Encrypt send an expiry email. Afterwards, your certificates suddenly, 8-9 minutes after the email was send, were renewed. Sounds correct to me.

2 Likes

I'm confused,

yes it is correct i'm in timezone utc+1.

I have received the mail to tell me that my cert will expire in 9 days,

So I logged in my reverseproxy and did 'sudo certbot renew' the output said all certs skipped due to expires on 11 february 2023. So this tells me that the certs haven't been renewed, but just skipped.

Yes, Certbot skips renewing already renewed certificates which are not due to expiry for some time. Somewhere in between the expiry email and you seeing the "skipped" message, Certbot did its job of renewing the certs already. You could take a look at the log file in /var/log/letsencrypt/ which was created today at approximately 17:05 CET. There would be more log files earlier and later, but the file from approx. 17:05 UTC should show the renewals happening.

2 Likes

Ow oke,

kinda strange because normally I manually renew them because I don't have autorenewel turned on, and port 80 is blocked in my router. But i'll check the logs. thanks

2 Likes

That defeats the whole point of automation.

That is a false sense of security.

4 Likes

Yes I know, I have to work on that.But I'm a software developer with a homelab, so networking and security isn't very good in my skillset.

I assume I can leave port 80 open and have to set nginx to auto redirect http to https?

1 Like

Yes. See:

5 Likes