No expiry is in 3 months on all the Lets Encrypt certs because of the daily renewal. Issue date: today Expiry: in 3 months
but letsencrypt should not renew every day perhaps this one will tell us more Code: /root/.local/share/letsencrypt/bin/letsencrypt renew -v for each one of my domains, it looks like Code: ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/domain.com.conf ------------------------------------------------------------------------------- parse (top of loop): [30 days][] CRE_UNITS matched parse (bottom) [][30 days][][] weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False dayStr False, modifier False, modifier2 False, units True, qunits False _evalString(30 days, time.struct_time(tm_year=2017, tm_mon=3, tm_mday=5, tm_hour=12, tm_min=31, tm_sec=8, tm_wday=6, tm_yday=64, tm_isdst=0)) _buildTime: [30 ][][days] units days --> realunit days return Cert not yet due for renewal
The output of that command is HUGE and also giving me the same error. It does not seem to checking for the 30 days since you get the message that the cert is not due for renewal but when I run that command it just tries to renew the cert eventhough the certs are not older than 1 day.
so, last things I can think of is trying to reinstall letsencrypt, or remove it and install cerbot instead
Not really the biggest fan of doing a re-install since it's working. Should be able to configure it that it does check for the expiry date right.
the only reason I see for letsencrypt to renew early would be if you have renew-by-default somewhere in a config file, and AFAIK, the only config files are located in /etc/letsencrypt/renewal or cli.ini, this later one could be in a number of places, but it shouldn't be created automatically. If you don't find one and all else fails, you could try to create one /etc/letsencrypt/cli.ini with Code: renew-by-default = False
In the confs I see: # renew_before_expiry = 30 days Isn't the problem that that line is commented out? Those files were probably made by ISPConfig so if it should'nt be commented, there's something wrong with the creation of those files?
Code: root@***:/etc/letsencrypt/renewal# cat /etc/letsencrypt/cli.ini rsa-key-size = 4096 email = [email protected] authenticator = webroot renew-by-default = true agree-tos = true renew-by-default agree-tos
Nice! I removed the lines from cli.ini and now getting the message skipped Cert not yet due for renewal. Thank you!
