I'm using ISPConfig3.2 on many servers. On a couple of them, sometimes certificates are not auto-renewed. When I go to Code: /var/log/ispconfig/acme.log looking for the cause, I can see lines like these: Code: [Mon 18 Mar 00:31:10 CET 2024] Skip, Next renewal time is: 2024-03-17T23:32:08Z Now my question is: Shouldn't acme auto-renew the certificates 24 hours in advance? Why is it skipping? Thanks for any hint. EDIT: This could be related to the issue: Code: # acme.sh --list -d herculestravels.it [...] Le_CertCreateTimeStr='2024-01-21T23:31:22Z' Le_NextRenewTimeStr='2024-03-20T23:31:22Z' [...] Le_RealKeyPath='/var/www/clients/client1/web37/ssl/herculestravels.it-le.key' [...] Code: # openssl x509 -in /var/www/clients/client1/web37/ssl/herculestravels.it-le.crt -noout -text [...] Validity Not Before: Jan 21 22:31:21 2024 GMT Not After : Apr 20 22:31:20 2024 GMT [...] Why does the certificate expire 1 month after the "Le_NextRenewTimeStr" ?
It usually does a month ahead of time. See "LE_NextRenewTime(Str)" in the corrosponding config in /root/.acme.sh/domain.tld/domain.tld.conf
Normally, acme.sh renews certs about 30 days before they expire. And ISPConfig calls acme.sh once every night to renew certs. I never had a cert renewal fail on my systems. This can only happen, in my opinion, when you change DNS for a domain or subdomain included in the SSL cert so that acme.sh is not able to validate the cert anymore.
Well everything seems completly valid. The certificate gets renewed a month before the certificate expires in the output you posted. Certificate is valid until: Next Renew is at: This is to provide enough time to fix any errors if the renew should fail due to an issue. //Edit: Guess you missed that one is march and the other is april
