ACME - Renewal number of days not yet reached

  • Hi guys,

    in our company's infrastructure we automate certificate distribution across servers and services both win and linux but we got a bad starting point since launching /usr/local/pkg/acme/ "renewall", by cron or even manually, we always receive "Renewal number of days not yet reached".

    As you can see in the attached file a certificate expired yesterday and another one expired today. We were able to renew manually these certs from pfsense UI > Acme package, using issue/renew button.

    Acme package version 0.1.23

    Thanks in advance for any help

  • Hi,

    First what versions ? pfSense / acme

    Issue/Renew manually - and then have a look at the generated log file.

    Remember : you don't have to wait the entire renewal period. After setting up an account, and hitting "Issue", you can repeat the "Issue" a couple of minutes later. There is of course a limit of 5 a day or something like that.

  • Hey Gertjan,

    i did not notice my sign was no more there. Anyway we are on 2.4.2-RELEASE (amd64) and ADI_RCCVE- as coreboot. As already wrote Acme package version is 0.1.23.

    Using pfsense webui and pressing button there are no issue at all: certificates are always updated (with daily limit).

    On the contrary do not update outdated certs.

    Logs in \tmp\acme\ are only created when procedure get an outdated cert and it seems it does not write any system log (in any case?).

  • @nagaraja:

    As already wrote Acme package version is 0.1.23.

    You should read this Topic: ACMEv2 is live!  (Read 1132 times)
    0.1.24 and 0.1.25 exist.
    acme is bleeding edge technology. Always use the latest version …. and still, lighting up some candles is advisable.


    Using pfsense webui and pressing button there are no issue at all: certificates are always updated (with daily limit).

    Something is very wrong then.
    My cert dates from … 3 days before - a new wild card cert - I consider it old already  ;)
    When I hit Issue, I will get a new one - and a (huge) log is created, no matter what.

    I advise you to ditch all settings, and restart.

    I just tried it - hitting Issue again :
    Renewing certificateaccount:
    server: letsencrypt-production-2
    /usr/local/pkg/acme/ --issue -d '' -d '*' --home '/tmp/acme/' --accountconf '/tmp/acme/' --force --reloadCmd '/tmp/acme/' --dns 'dns_nsupdate' --dnssleep '60' --log-level 3 --log '/tmp/acme/'
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [NSUPDATE_SERVER] => /tmp/acme/
    [NSUPDATE_KEY] => /tmp/acme/
    [Wed Mar 21 18:12:24 CET 2018] Multi domain=',DNS:*'
    [Wed Mar 21 18:12:24 CET 2018] Getting domain auth token for each domain
    [Wed Mar 21 18:12:29 CET 2018] Getting webroot for domain=''
    [Wed Mar 21 18:12:30 CET 2018] Getting webroot for domain='*'
    [Wed Mar 21 18:12:30 CET 2018] is already verified, skip dns-01.
    [Wed Mar 21 18:12:30 CET 2018] * is already verified, skip dns-01.
    [Wed Mar 21 18:12:30 CET 2018] Verify finished, start to sign.
    [Wed Mar 21 18:12:33 CET 2018] Cert success.
    -----END CERTIFICATE-----
    [Wed Mar 21 18:12:33 CET 2018] Your cert is in /tmp/acme/
    [Wed Mar 21 18:12:33 CET 2018] Your cert key is in /tmp/acme/
    [Wed Mar 21 18:12:33 CET 2018] The intermediate CA cert is in /tmp/acme/
    [Wed Mar 21 18:12:33 CET 2018] And the full chain certs is there: /tmp/acme/
    [Wed Mar 21 18:12:33 CET 2018] Run reload cmd: /tmp/acme/
    IMPORT CERT, /tmp/acme/, /tmp/acme/
    update cert![Wed Mar 21 18:12:33 CET 2018] Reload success

    This is the small log that shows in the GUI when done.

  • Hey,

    it is clear now that UI button and /usr/local/pkg/acme/ command have different behaviour. Button always renew certificate even if it not outdated. Script always check DateTime. I followed script's code chain and it ends in script calling the function issue_certificate and looping for each certificate.

    That's the part

    function issue_certificate($id, $force = false, $renew = false) {
                    $certificate = & get_certificate($id);
                    if (!$force) {
                            if ($certificate['status'] != 'active') {
                                    echo "Certificate renewal for this certificate is set to: disabled\n";

    $renewafterdays = is_numericint($certificate['renewafter']) ? $certificate['renewafter'] : 60;
                            $timetorenew = false;
                            $now = new \DateTime();
                            $lastrenewal = new \DateTime();
                            $nextrenewal = $lastrenewal->add(new \DateInterval('P'.$renewafterdays.'D'));
                            if ($now >= $nextrenewal) {
                                    echo "## Its time to renew ##\n";
                                    $timetorenew = true;
                            } else {
                                    echo "Renewal number of days not yet reached.\n";

    I then updated to lastest package 0.2.5_1

    Checking again that bit of code, there are not any changes.

    Anyway i created a new cert with a time to live of 1 day. Now what i expect is a new cert every day by cron script.

    I'll let you know but i feel few hopes

  • Well, the cron job only renews if the "certificate date" +"Certificate renewal after" < "current date".
    It surely doesn't renew every day.

    As per "Let's Encrypt" house rules, such a cron should run one a day - or even more, and undertake a renewal after +/- 60 days.
    You can choose these "60 days" in the settings.

    Btw : you found the code.
    Add some echo lines, especially where the date from the current cert is extracted and print that.
    Then $renewafterdays  is add, and if the result is should be smaller then the current moment, then renewal proceeds.

    For example : the code is reading/using the 'right' certificate ?

  • Hey,

    i found some interesting stuff applying some echo lines on datetimes:

    • Let's encrypt generated certificate is always 90 days valid

    • pfsense WebUI "Services/Acme/Certificate options/Certificate renewal after" option does not affect certificate lifetime generated by Let's encrypt. It does affect;

    Even a 1 day certificate is valid for 90 days but the option set "Certificate renewal after" correctly set the end date checked by So i trust that it could do a good job within 90 days time frame. Any value grater than 90 would let you drop in an unmanged time frame where your certificate is outdated but the script things "Renewal number of days not yet reached".

    I would suggest a bug fix in pfsense UI to discard bad values set up in certificate edit page and help users.


    You should consider the second gap: since cron job run once a day, you may run the job just 1 hour before a certificate may ends, then you have to wait next job 24 later to get an updated certificate; in the case a webserver's certificate you can get users warned by browser security features for 23/24 hours.

    We will plan to examine better the code and patch it with such as a provision feature to issue a new certificate if it will be replaced soon

    Easy as we speak

    just adding the following line in it is possible to renew certificates on the edge of 24 hours

    $nextrenewalex = $nextrenewal->sub(new \DateInterval('PT24H'));

    in the function issue_certificate right after:

    $nextrenewal = $lastrenewal->add(new \DateInterval('P'.$renewafterdays.'D'));

    With this patch cron job would be more efficent while renewing certificates giving no downtime of services where certificates are applied to

Log in to reply