Why do my https ssl certs seem to auto-renew?

I have 4 domains hosted on my digitalocean box and they all seem to be “auto-renewing” without my intervention.

Can you help me understand why, please?

Could it be:

  • that these domain registars facilitate auto-renewal in some way
  • that my server has a cron task running
  • that visitor traffic does a “keep alive” for the https ssl cert (theory is that if no traffic then the ssl expires - but that’s not good to rely on, of course)

These sites all have different domain registrars that point to my server.

I checked my cron tasks and nothing stands out ( using https://unix.stackexchange.com/questions/7053/how-can-get-a-list-of-all-scheduled-cron-jobs-on-my-machine )

# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.


# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# ls /var/spool/cron/
atjobs  atspool  crontabs

Occasionally I have run cert-bot on that server for adding new sites. I tend to be very specific about what I renew, as I know there is a “budget” limit on how many certs can be run in any one week. So I’m doubtful it’s that.

1 Like

Hi @therobyouknow,

If you recently installed Certbot from either an OS package or using certbot-auto, it’s likely that it created its own automated renewal task. You could try crontab -l as root (that’s still another crontab) or check your systemd timers (a newer non-cron-based mechanism for scheduled tasks).

Certbot is designed to be run frequently from cron or similar to check whether renewals should be attempted, but it normally doesn’t attempt any renewals unless a certificate is within 30 days of expiry. This schedule and this behavior are designed so that they will normally never run afoul of the Let’s Encrypt rate limits, because the renewal attempt won’t be repeated again soon once it succeeds.

1 Like

Renewals don’t count against per-domain limits. (They used to, but this was resolved a while back.)

1 Like

Thank you all so much for your answers. I will study them and follow up.

@therobyouknow: the command is systemctl list-timers --all :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.