When are certs "due for renewal"?

I have just installed certbot on a CentOS8 system, and just wanted to double check if automatic renewals will work. I see that /etc/crontab does contain:

0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew

And I see that /var/log/letsencrypt/ is filling up with logs, they contain mentions of “not due for renewal”. Givng $ sudo /usr/local/bin/certbot-auto renew --dry-run also says not due for renewal and congratulations for everything succeeding.

My certificate status is VALID: 85 days.

Is there a certain number of remaining days where the 12-hourly renew cron task will actually do a renewal?

1 Like

The certificate is usually renewed 30 days before it expires. The renewal command runs frequently and just checks how old the certificate is, if it has more than 30 days left then it exits and runs again the next day.

If a renewal fails and the certificate gets close to expiring you should receive an email to the address you specified when setting up certbot.

3 Likes

Add -q (--quiet) as a Certbot argument in your cronjob and you won’t get the log noise. It will only log interesting things, such as actual renewals and failures.

The Certbot packages you can get from Linux distributions do this by default - the instructions for certbot-auto should probably be updated to include it as well.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.