I am running a linux server for a nodejs express app at katefromhrbot.com, and I used the certbot guide for Nginx and Ubuntu 18.04 LTS to give it the secure https domain support. It is working now, but I recently received a rather worrying email which had given me a swarm of butterflies inside of my stomach organ, as the email stated that my certificate would terminate and expire in the near future unless I took action! I was confused by this because the last step of certbot says, "You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command". I had run the renewal dry run command back when I initially set it up so I'm confused why I need to do anything for the renewal in the first place. 🤔
Output from lsb_release -a:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic
Here is the email from "expiry@letsencrypt.org":
Hello,
Your certificate (or certificates) for the names listed below will
expire in 20 days (on 08 Dec 19 17:46 +0000). Please make sure to
renew your certificate before then, or visitors to your website will
encounter errors.We recommend renewing certificates automatically when they have a
third of their total lifetime left. For Let's Encrypt's current 90-day
certificates, that means renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.katefromhrbot.com
For any questions or support, please visit
https://community.letsencrypt.org/. Unfortunately, we can't provide
support by email.For details about when we send these emails, please visit
https://letsencrypt.org/docs/expiration-emails/. In particular, note
that this reminder email is still sent if you've obtained a slightly
different certificate by adding or removing names. If you've replaced
this certificate with a newer one that covers more or fewer names than
the list above, you may be able to ignore this message.If you are receiving this email in error, unsubscribe at
…Regards, The Let's Encrypt Team
The odd thing is that when I log into my server and try to run sudo certbot renew then it says this:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/katefromhrbot.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/katefromhrbot.com/fullchain.pem expires on 2020-02-16 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
So, did the automatic renewal work? If so, it would probably be better for the let's encrypt both do send an email when that renewal goes through successfully rather than (or at least in addition to) the one that tells you to panic because your certificate is about to expire.
Also, it's unclear to me exactly when the renewal is allowed to take place, and when it actually takes place when the automated renewal happens.
So, I have these questions:
- Is there is any way to see these 2 dates (the earliest time you can renew and when the automatic renewal will renew)?
- Should be worried that my certificate will really expire on December 16 without being renewed (and then again on 2020-02-16) assuming I do nothing and leave it up to autorenewal?
- What emails should I be expecting to get and should I be worried about the emails saying my certificate will expire soon? Is that normal and can I basically ignore them? Is there any way to set config on which things trigger emails (ie. successful auto-renewal)?
- Also, When I run
sudo certbot renew --dry-runit gives me a strange error about a request message being malformed, so I am wondering if I should be worried about that as well.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/katefromhrbot.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (katefromhrbot.com) from /etc/letsencrypt/renewal/katefromhrbot.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/katefromhrbot.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/katefromhrbot.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Thanks!
Best Answer
your auto renewal is working fine ;-).
To understand this situation there is one "detail" you didn't mention as you forgot on it or just don't feel important... Anyway let's go through it and get the asnwer you want to have.
As you have correctly quote the note you wrote the answer even you didn't know about that ;-) : "You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command"
The "breaking" date for this case is Sep 19,2019 when you have change the setting. For the domain you have mentioned there were two certificates once only one was in use and covered by auto renewal. The second one was discontinued but not revoked. Technically it is not problem as it would expire in 90 days anyway but as "not revoked and expiring" certificate you have been correctly notified...
You have started with the certificate on Jul 11,2019 when you have generated certificate for the domain katefromhrbot.com with serial number 3:81:51:37:84:6E:0A:8B:14:5C:71:24:87:D3:11:89:EB:57 expiring on Oct 9,2019.
On Sep 9,2019 your setting correctly auto renew the cert with the same configuration and with serial 3:23:0B:95:64:05:5D:66:52:C1:0A:55:B0:79:D6:CE:85:BE expiring Dec 8,2019. On Sep 19,2019 you have realize that only katefromhrbot.com is present on certificate and by changing the setting there were issued second certificate containing katefromhrbot.com and www.katefromhrbot.com with serial 3:43:48:28:2E:A4:5C:87:37:6B:B3:C1:92:26:BB:11:05:2D expiring Dec 17, 2019. Since this configuration change only second cert has been kept for auto renewal. First one was not revoked but it was just stop to be used.
On Nov 18,2019 the certificate in use (with 2 FQDN) has been renewed and new one have been issued with serial 3:22:18:44:D5:0A:64:51:90:52:48:76:37:10:7B:B5:41:71 expiring Feb 16,2020.
The notification you have mentioned is related to the cert with serial 3:23:0B:95:64:05:5D:66:52:C1:0A:55:B0:79:D6:CE:85:BE which was replaced with new one on your system. On the side of Let's encrypt it was valid and expiring certificate so the notification has been sent out.
The validity of the cert is 90 days. Recommended renewal is on 2/3 of validity - 30 days before expiring. The first notification about expiring certificate is sent out 20 days before end of validity. Once the renewal is success and there is the new cert with the same / matching SAN (Subject Alternative Name) available the notification is not sent out. So there is minimal 9 tries before the notification is sent out.
I hope this answer make it clear for you and answer all the questions related to your doubts about the process.