[Solved] Lets Encrypt auto renewal

No expiry is in 3 months on all the Lets Encrypt certs because of the daily renewal.
Issue date: today
Expiry: in 3 months

 

but letsencrypt should not renew every day
perhaps this one will tell us more

Code:

/root/.local/share/letsencrypt/bin/letsencrypt renew -v

for each one of my domains, it looks like

Code:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/domain.com.conf
-------------------------------------------------------------------------------
parse (top of loop): [30 days][]
CRE_UNITS matched
parse (bottom) [][30 days][][]
weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
dayStr False, modifier False, modifier2 False, units True, qunits False
_evalString(30 days, time.struct_time(tm_year=2017, tm_mon=3, tm_mday=5, tm_hour=12, tm_min=31, tm_sec=8, tm_wday=6, tm_yday=64, tm_isdst=0))
_buildTime: [30 ][][days]
units days --> realunit days
return
Cert not yet due for renewal

 

The output of that command is HUGE and also giving me the same error.
It does not seem to checking for the 30 days since you get the message that the cert is not due for renewal but when I run that command it just tries to renew the cert eventhough the certs are not older than 1 day.

 

so, last things I can think of is trying to reinstall letsencrypt, or remove it and install cerbot instead

 

Not really the biggest fan of doing a re-install since it's working.
Should be able to configure it that it does check for the expiry date right.

 

the only reason I see for letsencrypt to renew early would be if you have renew-by-default somewhere in a config file, and AFAIK, the only config files are located in /etc/letsencrypt/renewal or cli.ini, this later one could be in a number of places, but it shouldn't be created automatically.
If you don't find one and all else fails, you could try to create one /etc/letsencrypt/cli.ini with

Code:

renew-by-default = False

 

In the confs I see:
# renew_before_expiry = 30 days

Isn't the problem that that line is commented out?
Those files were probably made by ISPConfig so if it should'nt be commented, there's something wrong with the creation of those files?

 

Code:

root@***:/etc/letsencrypt/renewal# cat /etc/letsencrypt/cli.ini
rsa-key-size = 4096
email = [email protected]
authenticator = webroot
renew-by-default = true
agree-tos = true
renew-by-default
agree-tos

 

well, guess you found it

 

Changed it to "false" but it's still renewing so don't think I found it

 

strip them entirely (the 2 lines), they have nothing to do in it

 

Nice!
I removed the lines from cli.ini and now getting the message skipped Cert not yet due for renewal.

Thank you!

 

Thanks to liane, she helped me too.