Why is my certificate being renewed EVERY day...?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ukmessage.com

I ran this command: I didn’t run anything. The certificate is valid until November

It produced this output: It renews automatically EVERY day. No other domains on the same server do this. There are only two cronjobs - one hourly (keep-secured), and one weekly (remove-expired-tokens)

My web server is (include version): Plesk 18.0.29

The operating system my web server runs on is (include version): Unbuntu 18.04

My hosting provider, if applicable, is: Ionos

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 18.0.29

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2 Likes

Hi @grahamjones

checking your domain there is no daily renew visible - https://check-your-website.server-daten.de/?q=ukmessage.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-08-18 2020-11-16 *.ukmessage.com, ukmessage.com - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-08-14 2020-11-12 ukmessage.com, webmail.ukmessage.com, www.ukmessage.com - 3 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-08-08 2020-11-06 ukmessage.com, webmail.ukmessage.com, www.ukmessage.com - 3 entries
Let’s Encrypt Authority X3 2020-08-07 2020-11-05 ukmessage.com, webmail.ukmessage.com, www.ukmessage.com - 3 entries
Let’s Encrypt Authority X3 2020-06-12 2020-09-10 ukmessage.com, webmail.ukmessage.com, www.ukmessage.com - 3 entries

But you should check why the certificate with three domain names is renewed 08-07, 08-08, 08-14.

Looks like something in your cron jobs is wrong.

Or you have started these renews manual.

But that’s not daily.

PS: The website uses the wildcard certificate.

2 Likes

Issues like this are usually due to a malfunction in the ACME client. In this case, the Plesk Let’s Encrypt extension.

Sometimes it’s about failing to properly store the certificate (maybe the user’s disk is full), resulting in the next cronjob creating it from scratch. Sometimes it’s because there’s a mismatch between the domains it “wants” and the domains it’s actually issuing, so it’s never satisfied with the certificate it created last time. That one can crop up if wildcards are involved. Sometimes, as unlikely as it seems, there are multiple ACME clients competing over a domain,

If you have the latest version of the extension installed and it’s still happening, I would reach out to Plesk support and see whether they can investigate. There should be a sufficient log trail for them to figure it out.

2 Likes

Thanks for your rapid responses. I am still confused, though.

The settings for this domain are exactly the same for several other domains on the same server.

All of the other domains are being renewed on the correct timescales. But this domain is being renewed daily.

There are no cronjobs just for this domain.

2 Likes

That’s wrong. Why do you think that?

Certificates are logged in CT-logs. You see the output - no daily renew.

2 Likes

What’s the message telling you the certificate is renewed? Is it an automatic email?

I think OP might referring to these certificates, which are issued pretty close to each other.
https://crt.sh/?id=3238268818
https://crt.sh/?id=3211845554
https://crt.sh/?id=3209248628

2 Likes

I get a message every morning from Plesk saying the certificates have been renewed. But ONLY for this domain.

So, why does Plesk think the certificate is renewed each day, it it isn’t?

I hope my question to Plesk will get an answer…!

That’s a Plesk bug and a Plesk problem.

Or your hoster has an old machine that sends that message.

Letsencrypt doesn’t send daily mails.

2 Likes

Thanks - as I said I’ve taken it up with Plesk now

It’s not an old machine - it’s a brand new server

I still don’t see how it can happen - this email is not arising on any other domain on the same server using the same settings.

But as you say, it’s clearly a Plesk problem so I hope they can solve it…!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.