Cert update dates

chudak · Apr 7, 2019, 4:38 PM

My current certificate as seeing via Browser certificate details say:

Expires On	Tuesday, April 30, 2019 at 10:11:19 AM

ACME updated this certificate on 01-04-2019 03:16:19

I wonder, will the expiration date be automatically updated after/on April 30th?

Thx

Derelict · Apr 7, 2019, 5:32 PM

The default configuration is to renew when the certificate is 60 days old. Did you change that in the certificate options on the acme cert?

Do you have Cron Entry checked in general settings?

You might want to manually renew and make sure it works and, if not, see what the problem/error is.

PiBa · Apr 7, 2019, 7:35 PM

@chudak
Was the webgui restarted after acme renewed the certificate? The acme package allows configuring several 'actions' to restart relevant services where you might have used the certificate.

chudak · Apr 7, 2019, 8:25 PM

I don't see any problems on ACME side.
All worked fine dates and updates also show correct dates.

In pfSense UI System/Certificate Manager/Certificates I see correct dates.

Valid From: Tue, 08 Jan 2019 09:01:48 -0800
Valid Until: Fri, 05 Jan 2029 09:01:48 -0800

My question is when will those dates will be reflected when a client (browser) hits it ?

chudak · Apr 7, 2019, 8:26 PM

@PiBa said in Cert update dates:

@chudak
Was the webgui restarted after acme renewed the certificate? The acme package allows configuring several 'actions' to restart relevant services where you might have used the certificate.

Do you know what services ?

chudak · Apr 7, 2019, 8:30 PM

Found the answer - Restart webConfigurator fixed the issue!

Thanks !

Derelict · Apr 7, 2019, 8:38 PM

Still seems like that acme cert should have been updated by now.

jimp · Apr 8, 2019, 3:10 PM

Check your ACME certificate entry, look in the Actions list and check for, or add, a set to run /etc/rc.restart_webgui as an enabled shell command.

Without that, the GUI wouldn't be restarted after renewing the certificate. Also assuming your cron job box is checked on the ACME general settings tab.

chudak · Apr 8, 2019, 3:10 PM

@jimp Thanks! I did not have it added.

chudak · Apr 8, 2019, 5:02 PM

@jimp one more question - is there a simple way to test that email works from letsencrypt ? I don't think I got any before Acme updated certificates and now have to wait for 60 days...

jimp · Apr 8, 2019, 5:03 PM

No test I'm aware of. I know they still do it, though, as I received an e-mail from them over the weekend. I forgot to check the cron box on one of my lab systems.

Gertjan · Apr 15, 2019, 3:47 PM

@chudak said in Cert update dates:

is there a simple way to test that email works from letsencrypt ?

Oh, yes !
Get some certs from the Staging server. As soon as you get one of them, you'll be mail stormed after de delay.
I never received a mail that told me that I was late to renew a 'real' certificate. All my certs just renew by itself after 60 days - or the period I choose, which is generally somewhat less then 60 days.

Be aware that you can 'redo' your cert manually 5 times a week - just hit the renew button.

You could also renew from the command line : just run what the cron runs :

/usr/local/pkg/acme/acme_command.sh renewall

You'll see that it comes back with

....
Renewal number of days not yet reached.

So, force it like this :

/usr/local/pkg/acme/acme_command.sh  renewall -force

You'll be seeing a boat-load of lines on the screen, and finally, after the DNS delay etc, you obtain a new cert.
(don't forget to restart all services that use the certificate- as you already figured out)

.......
Rm2nmWhlbYL+R+4lLJmrPlkl6tSkxk05AOHF
-----END CERTIFICATE-----
[Mon Apr 15 13:03:04 CEST 2019] Your cert is in  /tmp/acme/V2_brit-hotel-fumel.net//brit-hotel-fumel.net/brit-hotel-fumel.net.cer
[Mon Apr 15 13:03:04 CEST 2019] Your cert key is in  /tmp/acme/V2_brit-hotel-fumel.net//brit-hotel-fumel.net/brit-hotel-fumel.net.key
[Mon Apr 15 13:03:04 CEST 2019] The intermediate CA cert is in  /tmp/acme/V2_brit-hotel-fumel.net//brit-hotel-fumel.net/ca.cer
[Mon Apr 15 13:03:04 CEST 2019] And the full chain certs is there:  /tmp/acme/V2_brit-hotel-fumel.net//brit-hotel-fumel.net/fullchain.cer
[Mon Apr 15 13:03:04 CEST 2019] Run reload cmd: /tmp/acme/V2_brit-hotel-fumel.net/reloadcmd.sh

IMPORT CERT V2_brit-hotel-fumel.net, /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.net/brit-hotel-fumel.net.key, /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.net/brit-hotel-fumel.net.cer
update cert![Mon Apr 15 13:03:11 CEST 2019] Reload success
[Mon Apr 15 13:02:54 CEST 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Mon Apr 15 13:02:54 CEST 2019] Error rm webroot api for domain:dns_nsupdate
[Mon Apr 15 13:03:00 CEST 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Mon Apr 15 13:03:00 CEST 2019] Error rm webroot api for domain:dns_nsupdate
[Mon Apr 15 13:03:00 CEST 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Mon Apr 15 13:03:00 CEST 2019] Error removing txt for domain:_acme-challenge.brit-hotel-fumel.net
[Mon Apr 15 13:03:00 CEST 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Mon Apr 15 13:03:00 CEST 2019] Error removing txt for domain:_acme-challenge.brit-hotel-fumel.net

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ls -al /tmp/acme/V2_brit-hotel-fumel.net
total 248
drwxr-xr-x  5 root  wheel     512 Apr  9 16:50 .
drwxr-xr-x  3 root  wheel     512 Feb  7 14:37 ..
-rw-r--r--  1 root  wheel     431 Apr 15 13:03 accountconf.conf
-rw-r--r--  1 root  wheel  209317 Apr 15 13:03 acme_issuecert.log
drwxr-xr-x  3 root  wheel     512 Apr  9 16:51 brit-hotel-fumel.net
-rw-r--r--  1 root  wheel     105 Apr 15 12:59 brit-hotel-fumel.netnsupdate_acme-challenge.brit-hotel-fumel.net.key
-rw-r--r--  1 root  wheel      13 Apr 15 12:59 brit-hotel-fumel.netnsupdate_acme-challenge.brit-hotel-fumel.net.server
drwxr-xr-x  3 root  wheel     512 Feb  7 14:37 ca
-rw-r--r--  1 root  wheel     592 Apr 15 13:03 http.header
drwxr-xr-x  2 root  wheel     512 Apr  9 16:50 httpapi
-rwxr-xr-x  1 root  wheel     394 Apr 15 12:59 reloadcmd.sh
[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root:

Strange. It tries to delete
brit-hotel-fumel.netnsupdate.key
But the file is really called :
brit-hotel-fumel.netnsupdate_acme-challenge.brit-hotel-fumel.net.key

Looks like the "_acme-challenge.brit-hotel-fumel.net" part is missing when it constructs the file to delete.
Minor issue actually.

@jimp : can you confirm ?

My settings :

chudak · Apr 15, 2019, 3:47 PM

@Gertjan said in Cert update dates:

@chudak said in Cert update dates:

is there a simple way to test that email works from letsencrypt ?

Oh, yes !
Get some certs from the Staging server. As soon as you get one of them, you'll be mail stormed after de delay.
I never received a mail that told me that I was late to renew a 'real' certificate. All my certs just renew by itself after 60 days - or the period I choose, which is generally somewhat less then 60 days.

I was looking for a simple way to either trigger email or see what certificates associated with my email.

Thanks for details !

johnpoz · Jun 8, 2019, 4:38 PM

@chudak said in Cert update dates:

Valid From: Tue, 08 Jan 2019 09:01:48 -0800
Valid Until: Fri, 05 Jan 2029 09:01:48 -0800

That is not a ACME cert

jimp · May 6, 2019, 6:22 PM

To help with some of this confusion, ACME 0.5.7, which I just committed a few minutes ago, now uses RFC 2822 format dates to show the last renewal. This makes it consistent with the dates shown on other certificate-related pages.

chudak · May 6, 2019, 7:30 PM

@jimp Thanks looks good !

chudak · Jun 8, 2019, 4:38 PM

@johnpoz

I am still not 100% sure what's going on with update dates.
So I am a new user of ACME and like it a lot!

Last time I manually updated certificates were April 7th

I expected to start seeing emails 20 days before expiration sometime around 10th of July.

I actually saw that certificates were renewed yesterday June 7th.

What am I missing ?

Thx

Derelict · Jun 8, 2019, 4:40 PM

It was automatically-renewed like it was supposed to be.

Certbot runs every day. It checks the dates. If it needs to be renewed it runs the process. If everything works you have a refreshed cert.

chudak · Jun 8, 2019, 4:41 PM

@Derelict said in Cert update dates:

It was automatically-renewed like it was supposed to be.

Certbot runs every day. It checks the dates. If it needs to be renewed it runs the process. If everything works you have a refreshed cert.

I get that, but why I did not get any emails ?

Gertjan · Jun 8, 2019, 6:07 PM

@chudak said in Cert update dates:

I get that, but why I did not get any emails ?

From who ?
acme works has the FreeBSD/Linux mentality : no news is good news.
There isn't a checkbox that states : "send me a mail" neither.
Although the question was asked before.

When you visit your setup, and the cert is 3 or 4 week, just hit the Renew yourself, and observer the process.
When no errors, and you don't break things afterwards, renewing will just go fine in the future.

edit : or : help yourself : write a small shell script that collects some data , activate it in the Action list and our done.

/usr/local/pkg/acme/acme.sh --home /tmp/acme/[your-domain]/ --list

to see actual cert details.