Let's Encrypt certificate expiration notice

CamilleRoux · October 16, 2016, 2:03pm

Hi!

I set up Let’s Encrypt some months ago and I just received the following mail:

Hello,

Your certificate (or certificates) for the names listed below will expire in 9 days (on 25 Oct 16 13:21 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

forum.pragmaticentrepreneurs.com

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

[…]

Is it OK? Have I something to do?

Thanks

tgxworld · October 16, 2016, 2:29pm

I’m assuming that you’re using the Let’s Encrypt template. If so, can you check your cron job by running the following commands?

./launcher enter app
cat /var/spool/cron/crontabs/root

You should see a cronjob for Let’s Encrypt cert renewal. Try running the commands there.

CamilleRoux · October 16, 2016, 3:01pm

Hi,

Here is what I get:

# cat /var/spool/cron/crontabs/root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Fri Jul 29 20:52:11 2016)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 0 * * * "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" > /dev/null

It should be executed automaticaly, doesn’t it?

Here is the result when I execute it:

root@forum-app:/var/www/discourse# /shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt
bash: /shared/letsencrypt/acme.sh --cron --home /shared/letsencrypt: No such file or directory

ljpp · October 16, 2016, 8:00pm

I have a certificate expiry due tomorrow (17-10-2016).

When is the renewal actually happening? What triggers it?

tgxworld · October 17, 2016, 2:50am

What does ls /shared/letsencrypt give you?

This is what I get when I execute the command in cron

root@cockpit-app:/var/spool/cron/crontabs# "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt"
[Mon Oct 17 02:49:08 UTC 2016] Renew: 'myawesomedomain.com'
[Mon Oct 17 02:49:08 UTC 2016] Skip, Next renewal time is: Sat Nov 26 06:34:27 UTC 2016
[Mon Oct 17 02:49:08 UTC 2016] Add '--force' to force to renew.
[Mon Oct 17 02:49:08 UTC 2016] Skipped myawesomedomain.com

The cron script handles renewal and it checks daily to see if the cert needs to be renewed.

ljpp · October 17, 2016, 8:06am

Yes, I get that - but when does this exactly happen?

On expiration notice (days before actual expiration)?
On the expiration day, but before the expiration time?
Or after the certificate has expired?

pfaffman · October 17, 2016, 7:09pm

The renew script should run daily and generate a new cert when it’s 30 days from expireing. If your cert is to expire today or has already expired, what I would do is

./launcher rebuild app

tgxworld · October 17, 2016, 8:37pm

It used to be every 80 days but in the latest version it is 60 days

ljpp · October 18, 2016, 6:34am

@pfaffman @tgxworld

I did a rebuild on October 16th, and just checked my .cer files and noticed that they where dated at 16-10-2016. The the certs were most likely renewed by the rebuild, but the cron job did not perform.

ljpp · January 12, 2017, 4:35pm

I am again 9 days into the expiration of the certificate (different site), and the .cer files time stamp is from October.

So apparently the auto-renewal is not working?

pfaffman · January 12, 2017, 6:06pm

Are you saying that the cert expired 9 days ago, or 9 days from now. If it’s the former, you should do a rebuild. If it’s the latter, wait a couple more days, it’ll probably work.

ljpp · January 13, 2017, 8:03am

Holy crap! Time-stamps updated over night, now showing today (13th). This is the first time I witness the auto-renewal to actually work. Awesome!

And I was about to expire in 9 days.

Aman_Jagga · January 22, 2017, 5:45pm

I am also facing the same issue, please let me know the solution.This is what I am getting

Should I wait for feb 1 or should I go ahead and force the renewal

Aman_Jagga · January 22, 2017, 5:16pm

@CamilleRoux . I am getting the same issue. How did you solve it?

pfaffman · January 22, 2017, 6:11pm

I’d wait a few days and on or about January 30 do a ./launcher rebuild app, but you probably won’t need to.

tgxworld · January 24, 2017, 10:10am

@Neilpang do you know how any days before expiry does acme.sh renews the cert? LE sends the first renewal notice 20 days before the expiry so we probably want to renew via the form job before that?

Neilpang · January 24, 2017, 11:09am

Hi @tgxworld

We used to renew the cert for every 80 days. but later we changed to renew the cert every 59 days.
Since the Letsencrypt changes to notify the expiry evey 60 days.
So, from this renewal, your cert will be renewed every 59 days, just one day before the expriy email.
Don’t worry.

Neilpang · January 24, 2017, 11:10am

You should never receive the expriy email again.

pfaffman · January 24, 2017, 4:13pm

Above, I suggested that not worrying is good advice.

But people who want not to get scary emails need to rebuild, right?

If they installed letsencrypt before the LE update and haven’t upgraded it are on the 80 day schedule, right? And since lets encrypt isn’t handled by docker_manager, the only way to get that upgrade is to do a rebuild, right?

Neilpang · January 25, 2017, 1:09am

check your acme.sh version. if it’s 2.6.5 or later it should work automatically.
you can wait till the first auto renewal, or you can do a force renewal now. Then you will see the next renewal time is after about 60 days.