I had an issue come up with some of my cert renewal scripts where using the “certonly” only command to request renewal, they would return “Cert not yet due for renewal” when they were in fact due. “Renew” was able to renew them however. Wasn’t sure of the cause, was just happy to have a solution at the time.
Mine is a little different. I do a rolling check for all possible renewals once a week at 4am my timezone and any which need renewals get renewed via the webroot module.
I have seperate tasks to restart various services like prosody at five minute intervals thereafter. 4:05 4:10, 4:15 etc. etc. Prosody and lighttpd share SSL certs, so I do other things at those times like concatenate the fullchain and privkey files for lighttpd into a single file and so forth too. (Prosody can read both files seperately and I believe I have it set to now. Lighttpd might be able to too, but it expects a single file by default.)
Functionally though it’s still “certbot renew” tho. Im just restarting prosody five minutes later instead of calling prosodyctl right then in the renew-hook. I doubt renew-hook is causing the issue.
Definitely a different issue than what I was having.
I just checked and my cert is running fine. I guess something isn’t triggering with Let’s Encrypt, so they are warning me the cert is about to expire, even though I check once a week and renew as needed. Hmmm.
Okay, the cron job runs fine. The certs are updated and imported. And yet, I still couldn’t connect to the server after the last one expired…
For whatever reason, I have to restart the Prosody service before it picks up the new certs. Though I just realized I didn’t just try reloading the config, maybe that clears a cache or something… I’ll wait until next cycle, and try reloading. If that works, I’ll just amend the cron job to do the same.
I’ve not tried reloading the config but I always do a hard restart of prosody after updating the certs. I have cron restart prosody for me when it checks for cert renewal. I find that prosody seems to cache the old cert in memory.
Had this issue again, but may have figured something out.
I ran that command, and among the output was:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/dump.mage.party/fullchain.pem expires on 2019-10-03 (skipped)
/etc/letsencrypt/live/chat.mage.party/fullchain.pem expires on 2019-10-03 (skipped)
/etc/letsencrypt/live/proxy.mage.party/fullchain.pem expires on 2019-10-03 (skipped)
/etc/letsencrypt/live/mage.party/fullchain.pem expires on 2019-10-30 (skipped)
No renewals were attempted.
No hooks were run.
I suspect when it actually renews, it times out and never runs the hook, and never runs it under any other condition. I’ll need to figure out a better way, probably split it into two commands, if that is safe.