Why do my https ssl certs seem to auto-renew?

therobyouknow · July 17, 2020, 2:56pm

I have 4 domains hosted on my digitalocean box and they all seem to be “auto-renewing” without my intervention.

Can you help me understand why, please?

Could it be:

that these domain registars facilitate auto-renewal in some way
that my server has a cron task running
that visitor traffic does a “keep alive” for the https ssl cert (theory is that if no traffic then the ssl expires - but that’s not good to rely on, of course)

These sites all have different domain registrars that point to my server.

I checked my cron tasks and nothing stands out ( using https://unix.stackexchange.com/questions/7053/how-can-get-a-list-of-all-scheduled-cron-jobs-on-my-machine )

# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
# ls /var/spool/cron/
atjobs  atspool  crontabs
#

Occasionally I have run cert-bot on that server for adding new sites. I tend to be very specific about what I renew, as I know there is a “budget” limit on how many certs can be run in any one week. So I’m doubtful it’s that.

schoen · July 17, 2020, 7:10pm

Hi @therobyouknow,

If you recently installed Certbot from either an OS package or using certbot-auto, it's likely that it created its own automated renewal task. You could try crontab -l as root (that's still another crontab) or check your systemd timers (a newer non-cron-based mechanism for scheduled tasks).

Certbot is designed to be run frequently from cron or similar to check whether renewals should be attempted, but it normally doesn't attempt any renewals unless a certificate is within 30 days of expiry. This schedule and this behavior are designed so that they will normally never run afoul of the Let's Encrypt rate limits, because the renewal attempt won't be repeated again soon once it succeeds.

BenSjoberg · July 17, 2020, 8:27pm

Renewals don't count against per-domain limits. (They used to, but this was resolved a while back.)

therobyouknow · July 28, 2020, 1:40pm

Thank you all so much for your answers. I will study them and follow up.

9peppe · July 28, 2020, 2:40pm

@therobyouknow: the command is systemctl list-timers --all

system · August 27, 2020, 2:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cron job not seem to be renewing my SSL Server	17	6095	September 17, 2017
"Certbot renew" not enough? Server	3	1226	August 19, 2017
Renewing my certificates Help	8	1369	April 2, 2020
Renew notice after create a cron job Issuance Tech	3	1547	January 23, 2017
My certs got renewed automatically without me setting up cron. How? Help	3	2043	November 13, 2017

Why do my https ssl certs seem to auto-renew?

Related topics