Got this message from LE today:
Your certificate (or certificates) for the names listed below will expire in 19 days (on 19 Feb 19 01:23 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
Your certificate (or certificates) for the names listed below will expire in 19 days (on 19 Feb 19 01:23 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
I have two questions about this:
1) When should certificates be renewing themselves? I haven't seen anything about the timing of when the renewals attempt to process so I'm unsure if I should be concerned about this or if a renewal attempt is yet to come.
2) If there is an issue with renewal, how do I correct it? Turn SSL off and back on? Or is there some way to force a renewal request?
This cert includes a wildcard domain on it in case that makes any difference.
Thanks for any assistance or info you can provide!
I had a situation today where a certificate didn't renew. The domain uses the ".network" TLD. When I tried
sudo certbot renew --post-hook "service nginx restart"
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [domain].network
http-01 challenge for www.[domain].network
Cleaning up challenges
Attempting to renew cert ([domain].network) from /etc/letsencrypt/renewal/[domain].network.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for [domain].network:. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
But then I tried forcing the renewal with
sudo site [domain].network -ssl=force-renewal
And it worked. I wonder if it could be related to the ".network" TLD.
First of all, try renewing your certs manually:
You should see a message with "successful".
Now, this is very weird because Webinoly have a redundant process to prevent these issues. Certboot (Let's Encrypt) have an automatic renew process that runs several times a day in your server. Also, as double check, Webinoly runs the renew command once a week and sends an email to the account you have registered the first time you created a cert.
Definitely, something is not working fine in your server, it's almost impossible that both redundant renewing process are failing.
Check the Webinoly renew cron job: sudo crontab -e
A lot of things were improved in the SSL area, but to be honest I found nothing wrong with the renewal process.
The good news is that now we have more tools and options to fix these issues, for example:
The last one seems like is working fine even with wildcard certs, I've been testing it and it seems like you don't even need to pass the DNS verification again.
Please, tell me if it works for you.
I don't know, my only advice is you just be sure that all your packages are updated, that's the main cause of issues with Let's Encrypt.
sudo apt update && sudo apt upgrade -y
Your regular donations is what keep this project moving forward. If you like Webinoly, buy me a coffee or a beer to show support.