Let's encrypt not auto renew?

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,560
Location
Maastricht
I installed Let's encrypt some time ago.
Now it's time to renew and I got messages about it already for a couple of times.

Today it's this message:
Your certificate (or certificates) for the names listed below will expire in
0 days (on 14 Mar 17 17:43 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

Are they renewing on the last day of expiring? Or does renewing not work in my case for some reason and should if already have been renewed?

I know I can renew manually but it should renew automatically correct?
 
I tried manually:
Code:
echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue
but this did not change or renew anything.

So I found another command to renew:
Code:
./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root)
So I could use this renew option, but what is the /path/to/csr-request-config-file?
In my case it should be something like:
Code:
./letsencrypt.sh renew mydomain.nl 4096 /path/to/csr-request-config-file /public_html
Or should those last 2 commands also should be in between brackets? I presume document_root is public_html correct?
 
What does it say on User Level -> SSL certificates? How many days until the renew process? Did you change the renew_days in directadmin.conf?

Because your certificate is already expired you can just request a new one to get the website back up :).
 
I did not change anything, only made the certificate and I don't have any "renew_days" line in my directadmin.conf.

It looks like it did renew automatically for the hostname itself. SSL is still working there.

This issue is with my reseller account with my domain name, just like a customer. There is no "how many days until renew process".
It does say: Certificate Expiry Mar 14 17:43:00 2017 GMT

Yes I can just request a new one to get the website back up, but then we're back here in about 90 days again. :)
I would rather like to know why it did not update automatically.

Heej that's odd. I created a new certificate and now it says:
Let's Encrypt in use. Auto-renewal in 59 Days.

Shouldn't this be 85 or 90 days by default?
 
Last edited:
I believe DA chose a shorter renew-period so if something went wrong during the renew, the admin still has enough time to fix things.

I also had this happen before one or two times. Not sure what the problem was. Maybe your LetsEncrypt script was not updated during the previous renew (I think it's at v1.3 now)?
 
It's possible, but I thought DA had it at 85 days. I don't mind if it's updated in 59 days as long as it's updated.

My /usr/local/directadmin/scripts/letsencrypt.sh script has #VERSION=1.0.6 noted in it. I don't have any newer on my servers.
 
I might have seen this but forgot about it because it's not really important.
It does not explain why the auto update did not took place.
 
DirectAdmin should by default send you a error message if the renewal fails, and should continue to send you a error message on email every night the renewal fails (it will try again and again one time every night). So if you did not get those emails, you should manually look in the user level for the account and read the messages there.
 
Thank you Ditto. Unfortunately it did not send me any error message. The only messages I got was from Letsencrypt like stated in my first post here.
So something must have been wrong on DA.
I did not see any messages in my account other then the certificate was expired. I created a new one now.

And I also have a hobby domain on another server with DA also with certificate which should renew within 5 days.

Seems the certificate for the hostname did update. That one is still green.
 
Last edited:
You're correct on the letsencrypt script with being 1.0.6.
Not sure where I got the 1.3 number from in my mind.
 
I'm upping this thread again because this happened again with 1 domain. Not sure of it was the same, it's a personal domain.
DirectAdmin should by default send you a error message if the renewal fails, and should continue to send you a error message on email every night the renewal fails (it will try again and again one time every night).
I only got the e-mail from the Letsencrypt organisation bot, that my certificates would expire within 20 days.

So I checked on my private account and again, no renewal line visible. As far as I can see, the other accounts are fine for the moment.
So I checked with a "Letsencrypt-show-domains.sh" script which was posted somewhere on the forums here I believe.
It should state every domain using Letsencrypt with creation date, renewal date and the renewal in xx days.

My private domain was not amongst it in the list. It looks like Directadmin just does not see it anymore.

Strange thing was that is was fine some time ago and also stated the amount of renewal days. So it looks as if somethings things go wrong when updating letsencrypt. Or some other reason.
I did not change anything on the domain in between.

So this is still a re-occuring issue, which it should not be as it can easily be checked.
 
Change was made in the DA code about a month ago, will be in 1.53.1.

The only way a LetsEncrypt cert auto-new will stop now in 1.53.1 will be one of:
  • Save with "shared server cert" selected
  • Save with create self-signed cert
  • Click the "Disable Auto-Renew" button at the bottom of the SSL page.

So now, accidentally clicking "Save" for a live LetsEncrypt cert/key with the paste cert/key option selected.. it will no longer clear the auto-renew.
Only the above methods will clear the auto-renew.

The catch is, if you "buy" a cert from somewhere, and paste it in, after you've already been using LetsEncrypt, you must click "Disable Auto-Renew", or else your purchased cert/key will be overwritten.
This is likely a less common scenario, hence the above change was made to help more people.

John
 
Thank you for the quick response.
I did never bought any other certificate. It's just that on some domains it does not auto renew. Made them myself, the same way as in other domains which are working. Did not click save either.

Anyway, nice to hear it gets fixed in 1.53.1.

Will this be fixed too then?
DirectAdmin should by default send you a error message if the renewal fails, and should continue to send you a error message on email every night the renewal fails (it will try again and again one time every night).
Because I never have seen such kind of message yet.
 
... it should be, but only for actual renewal failures.
If the auto-renew was disabled, that's not a renewal failure, but rather no more renewal attempt at all.

John
 
Limit renewal max tries

Can I set some like "limit renewal max tries"?
example: domain expired(pointed to another server) but still in users account, so I still receiving messages about auto-renew fails.
So I want after 7(10, 14 etc.) days automatically disable auto-renew for this domain.
 
There are a few related features:
1) You can use this, adjust if needed, which simply suppresses the failure message to the User.. giving a few tries before actually deciding it's truly failing:
https://www.directadmin.com/features.php?id=2229

Likely don't need to adjust it.

2) Likely what you're after.. we know a request will last 90 days.
The internal default in DA is
Code:
letsencrypt_renewal_days=60
meaning, DA starts the renewal at day 60, allowing a full month for it to succeed.
So if you only want it to try 6 times, then set it to the following in your directadmin.conf
Code:
letsencrypt_renewal_days=83
meaning, DA allows the certificate to be 83 days old before attempting the renewal. If it fails, it will only retry 7 times until the end of the 90 day period, at which point DA never tries to renew the expired cert.

John
 
Back
Top