Why do Letsencrypt certs only last a few months?

Krischu · September 29, 2020, 7:18pm

I installed Letsencrypt Certificates for my website end of July 2020, I believe. Looking into a comment line of the generated cerificates it says:

## Your cert will expire on 2020-10-20. To obtain a new or tweaked
## version of this certificate in the future, simply run certbot
## again. To non-interactively renew all of your certificates, run
## "certbot renew"

Examining the certificate with a browser by accessing the website, it says that it is valid until Dec, 19th, 2020.

Another thing I'm wondering about is that files and directories in /etc/letsencrypt
are carrying timestamps of Sept 21. I don't recall to have them touched in that time.

My domain is: werkwelt.de, page is urquell.de

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 18.04.5

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): n

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

griffin · September 29, 2020, 7:35pm

Could be from an autorenewal task.

You can see your certificate histories using the following links:

Can you upload that certificate file using the upload button (down to the right when creating a message) so that we can take a look at it? A certificate contains nothing private so you need not worry about privacy.

Krischu · October 4, 2020, 8:09am

Thanks. Maybe I installed already an update mechanism without being aware of it when I first time installed Letsencrypt? BTW, I don't see an upload button when composing this message.

What should I look for when you are mentioning an "autorenewal task"?

EDIT: I found /etc/letsencrypt/renewal/*.conf
containing sections for
"renew_before_expiry = 30 days" and
"Options used in the renewal process"
Now, which process is doing the renewal?

griffin · October 4, 2020, 8:14am

Close, but not exactly.

Running certbot using --apache instructs certbot to both acquire and install a certificate using apache as well as set up a task using cron or systemd to periodically run certbot renew, which will update any certificates expiring within 30 days.

Krischu · October 4, 2020, 8:25am

Not here:

Regarding the other parts of your reply:
Running certbot using --apache instructs certbot to both acquire and install a certificate using apache as well as set up a task using cron or systemd to periodically run certbot renew , which will update any certificates expiring within 30 days.

Thanks, this clarifies it.

And another question: why upload the certificate when it is issued by the site anyway. You could see it in the browser.

I just discovered the upload symbol in the tool bar (just not in the lower right corner
(difference between computer vs. mobile?)

griffin · October 4, 2020, 8:46am

You make a fair point...

Looking here at the certificate with serial number 03:8f:d0...

Issuer: (CA ID: 16418)
organizationName = Let's Encrypt

Validity
Not Before: Sep 20 15:44:48 2020 GMT
Not After : Dec 19 15:44:48 2020 GMT

Looking here at the certificate with serial number 01:d3:9b...

Issuer: (CA ID: 62148)
organizationName = DigiCert Inc

Validity
Not Before: Jul 2 00:00:00 2020 GMT
Not After : Jul 3 12:00:00 2022 GMT

Yep. That's my fault.

Cherish those who seek the truth but beware of those who find it.
- Voltaire

Krischu · October 4, 2020, 9:27am

Many thanks for sorting this out. I'm glad to know that the autorenew mechanism is active and can life carelessly for the future to come. At least what this issue is concerned

griffin · October 4, 2020, 10:05am

If you have any other questions or run into any trouble, just let us know.