Let's Encrypt certificate expiration notice


(Camille Roux) #1

Hi!

I set up Let’s Encrypt some months ago and I just received the following mail:

Hello,

Your certificate (or certificates) for the names listed below will expire in 9 days (on 25 Oct 16 13:21 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

forum.pragmaticentrepreneurs.com

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

[…]

Is it OK? Have I something to do?

Thanks


(Alan Tan) #2

I’m assuming that you’re using the Let’s Encrypt template. If so, can you check your cron job by running the following commands?

./launcher enter app
cat /var/spool/cron/crontabs/root

You should see a cronjob for Let’s Encrypt cert renewal. Try running the commands there.


(Camille Roux) #3

Hi,

Here is what I get:

# cat /var/spool/cron/crontabs/root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Fri Jul 29 20:52:11 2016)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 0 * * * "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" > /dev/null

It should be executed automaticaly, doesn’t it?

Here is the result when I execute it:

root@forum-app:/var/www/discourse# /shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt
bash: /shared/letsencrypt/acme.sh --cron --home /shared/letsencrypt: No such file or directory

(ljpp) #4

I have a certificate expiry due tomorrow (17-10-2016).

When is the renewal actually happening? What triggers it?


(Alan Tan) #5

What does ls /shared/letsencrypt give you?

This is what I get when I execute the command in cron

root@cockpit-app:/var/spool/cron/crontabs# "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt"
[Mon Oct 17 02:49:08 UTC 2016] Renew: 'myawesomedomain.com'
[Mon Oct 17 02:49:08 UTC 2016] Skip, Next renewal time is: Sat Nov 26 06:34:27 UTC 2016
[Mon Oct 17 02:49:08 UTC 2016] Add '--force' to force to renew.
[Mon Oct 17 02:49:08 UTC 2016] Skipped myawesomedomain.com

The cron script handles renewal and it checks daily to see if the cert needs to be renewed.


(ljpp) #6

Yes, I get that - but when does this exactly happen?

  • On expiration notice (days before actual expiration)?
  • On the expiration day, but before the expiration time?
  • Or after the certificate has expired?

(Jay Pfaffman) #7

The renew script should run daily and generate a new cert when it’s 30 days from expireing. If your cert is to expire today or has already expired, what I would do is

./launcher rebuild app

(Alan Tan) #8

It used to be every 80 days but in the latest version it is 60 days


(ljpp) #9

@pfaffman @tgxworld

I did a rebuild on October 16th, and just checked my .cer files and noticed that they where dated at 16-10-2016. The the certs were most likely renewed by the rebuild, but the cron job did not perform.


(ljpp) #10

I am again 9 days into the expiration of the certificate (different site), and the .cer files time stamp is from October.

So apparently the auto-renewal is not working?


(Jay Pfaffman) #11

Are you saying that the cert expired 9 days ago, or 9 days from now. If it’s the former, you should do a rebuild. If it’s the latter, wait a couple more days, it’ll probably work.


(ljpp) #12

Holy crap! Time-stamps updated over night, now showing today (13th). This is the first time I witness the auto-renewal to actually work. Awesome!

And I was about to expire in 9 days.


(Aman Jagga) #13

I am also facing the same issue, please let me know the solution.This is what I am getting

Should I wait for feb 1 or should I go ahead and force the renewal


(Aman Jagga) #14

@CamilleRoux . I am getting the same issue. How did you solve it?


(Jay Pfaffman) #15

I’d wait a few days and on or about January 30 do a ./launcher rebuild app, but you probably won’t need to.


(Alan Tan) #16

@Neilpang do you know how any days before expiry does acme.sh renews the cert? LE sends the first renewal notice 20 days before the expiry so we probably want to renew via the form job before that?


(Neilpang) #17

Hi @tgxworld

We used to renew the cert for every 80 days. but later we changed to renew the cert every 59 days.
Since the Letsencrypt changes to notify the expiry evey 60 days.
So, from this renewal, your cert will be renewed every 59 days, just one day before the expriy email.
Don’t worry.


(Neilpang) #18

You should never receive the expriy email again.


(Jay Pfaffman) #19

Above, I suggested that not worrying is good advice.

But people who want not to get scary emails need to rebuild, right?

If they installed letsencrypt before the LE update and haven’t upgraded it are on the 80 day schedule, right? And since lets encrypt isn’t handled by docker_manager, the only way to get that upgrade is to do a rebuild, right?


(Neilpang) #20

check your acme.sh version. if it’s 2.6.5 or later it should work automatically.
you can wait till the first auto renewal, or you can do a force renewal now. Then you will see the next renewal time is after about 60 days.