Certbot and letsencrypt: after renewing my certificate has 2 weeks more of validity instead of 3 months

linux certificate ssl-certificate lets-encrypt certbot

My letsencrypt certificate will expire soon. I ran "certbot" to renew it for the next 3 months:

  $ sudo certbot certonly --standalone -d $website --email admin@$website
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator standalone, Installer None
  Cert is due for renewal, auto-renewing...
  Renewing an existing certificate
  Performing the following challenges:
  tls-sni-01 challenge for my_website123.com
  Waiting for verification...
  Cleaning up challenges

  IMPORTANT NOTES:
   - Congratulations! Your certificate and chain have been saved at:
     /etc/letsencrypt/live/my_website123.com/fullchain.pem
     Your key file has been saved at:
     /etc/letsencrypt/live/my_website123.com/privkey.pem
     Your cert will expire on 2018-07-08. To obtain a new or tweaked
     version of this certificate in the future, simply run certbot
     again. To non-interactively renew *all* of your certificates, run
     "certbot renew"
   - If you like Certbot, please consider supporting our work by:

     Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
     Donating to EFF:                    https://eff.org/donate-le

Why "2018-07-08"? I even ran certbot again - the result was the same.


I think you are not renewing the certificate. Just in case, state the certbot version you are using, your linux distribution and your webserver (apache, nginx?)

You can try running with --dry-run the renew command and see the output:

certbot-auto renew --dry-run

Once you check everything is correct, you can run it for real and restart apache:

systemctl stop apache2 &&
certbot-auto renew && 
systemctl start apache2

If that isn't working (due to certbot version or package), you might need to run the certbot command instead with a pre-hook and post-hook:

certbot renew --pre-hook "service apache2 stop" --post-hook "service apache2 start"

Automate it

Once you solved the issue manually checking for the renewal, you should try to automate it with a cron job, at least weekly if not daily. If you need help with that, leave a comment here and I will update my answer to include it. Most distributions include an automatic renewal with the certbot package.

Related

how to route external IP to internal without MASQUERADE
GCP Owner and Administrator roles for organization
What is Ad Hoc Query?
What does "The code generator has deoptimised the styling of [some file] as it exceeds the max of "100KB"" mean?
Do I need a content-type header for HTTP GET requests?
How can I pass artifacts to another stage?
Step-by-step debugging with IPython
Cannot use ref or out parameter in lambda expressions
Gradle: Could not determine java version from '11.0.2'
How to version control a record in a database [closed]
nil detection in Go
It is more efficient to use if-return-return or if-else-return?