Could you please let me know how long it waits to auto-renew the certificates? And how do I know/check if the certificate was auto-renewed?
I got a notification email that my certificate will expire in 19 days (on 2023-09-12). Then, I have checked the nginx logs using:
docker compose logs nginx
The last more or less legible for me message I see is the following:
central-nginx-1 | 2023/08/16 12:36:37 [info] Running the autorenewal service
central-nginx-1 | 2023/08/16 12:36:37 [info] Starting certificate renewal process
central-nginx-1 | 2023/08/16 12:36:37 [info] Requesting an ECDSA certificate for '[edited out]' (http-01 through webroot)
central-nginx-1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
central-nginx-1 | Certificate not yet due for renewal
central-nginx-1 |
central-nginx-1 |
central-nginx-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
central-nginx-1 | Certificate not yet due for renewal; no action taken.
central-nginx-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Then, there was a line with "certificate" inside:
central-nginx-1 | [edited out] - - [22/Aug/2023:03:04:17 +0000] "GET /certificate/ HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" "-"
Thanks in advance for any advice. The last thing I would want is to have our data collection interrupted.
Check the expiration date on the cert you have loaded on the server by putting your domain name in https://www.sslshopper.com/ssl-checker.html. The renewal email might be about about an older cert that you'd requested and thrown away.
Many thanks for a quick response. Very much appreciated!
I had a different DNS name assigned to ODK Central on our Azure VM (inside .env file) and after some time updated it to a new DNS name. In the email I got, it lists both DNS names. Are you talking about such a situation or something else?
The website https://www.sslshopper.com/ssl-checker.html shows that certificate will expire in 23 days.
I did a recompose and checked the logs again:
central-nginx-1 | writing fresh nginx templates...
central-nginx-1 | starting nginx for letsencrypt...
central-nginx-1 | 2023/08/23 20:12:16 [info] Starting the Nginx service
central-nginx-1 | 2023/08/23 20:12:16 [info] Running the autorenewal service
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: using the "epoll" event method
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: nginx/1.23.4
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: OS: Linux 5.15.0-1041-azure
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: getrlimit(RLIMIT_NOFILE): 1048576:1048576
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: start worker processes
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: start worker process 76
central-nginx-1 | 2023/08/23 20:12:16 [notice] 56#56: start worker process 77
central-nginx-1 | 2023/08/23 20:12:16 [info] Starting certificate renewal process
central-nginx-1 | 2023/08/23 20:12:16 [info] Requesting an ECDSA certificate for '[edited out]' (http-01 through webroot)
central-nginx-1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
central-nginx-1 | Certificate not yet due for renewal
central-nginx-1 |
central-nginx-1 |
central-nginx-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
central-nginx-1 | Certificate not yet due for renewal; no action taken.
central-nginx-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
central-nginx-1 | 2023/08/23 20:12:18 [notice] 150#150: signal process started
central-nginx-1 | 2023/08/23 20:12:18 [notice] 56#56: signal 1 (SIGHUP) received from 150, reconfiguring
central-nginx-1 | 2023/08/23 20:12:18 [notice] 56#56: reconfiguring
central-nginx-1 | 2023/08/23 20:12:18 [notice] 56#56: using the "epoll" event method
central-nginx-1 | 2023/08/23 20:12:18 [notice] 56#56: start worker processes
central-nginx-1 | 2023/08/23 20:12:18 [notice] 56#56: start worker process 151
central-nginx-1 | 2023/08/23 20:12:18 [notice] 56#56: start worker process 153
central-nginx-1 | 2023/08/23 20:12:18 [info] Autorenewal service will now sleep 8d
central-nginx-1 | 2023/08/23 20:12:18 [notice] 76#76: gracefully shutting down
I wonder when it is the time for renewal?
I haven't looked hard at the source code, but my expectation is that it renews before 30 days is up.
You can check the renewals of your cert by going to https://crt.sh/?match==&deduplicate=Y&CN=mycentralserver.com. You should see new certs every two months or so.
Given that you've done some domain name changes, it might be good to throw away the nginx container and rebuild it. Note that the up command will be slower than it usually is, so I'd plan for 10-15 minutes of downtime.
docker compose stop
docker rm central-nginx-1
docker compose build
docker compose up -d
Only run the above steps once. If you do it multiple times, you'll run in LetsEncrypt's quotas.
Thank you for your suggestions. It is very much appreciated.
At first, I tested on our test ODK server, and it worked, the crt.sh website showed a new certificate for 90 days until November. Then, I did the same on the production server, but the crt.sh did not show the new certificate for some reason. Also, the ssl-checker website still shows the old certificates for both sites. I then found another website that showed new certificates for both test and production until November: https://www.digicert.com/help/
So, apparently there is inconsistency with ssl checker websites in how they show information.
I have checked nginx logs on the production server by running: docker compose logs nginx and got the following confirmation:
central-nginx-1 | Successfully received certificate.
central-nginx-1 | Certificate is saved at: /etc/letsencrypt/live/[edited]/fullchain.pem
central-nginx-1 | Key is saved at: /etc/letsencrypt/live/[edited]/privkey.pem
central-nginx-1 | This certificate expires on 2023-11-23.
central-nginx-1 | These files will be updated when the certificate renews.
Is it possible to somehow check if the certificate will be renewed automatically next time?
On ODK Cloud, we have external monitoring to ensure certs are not expiring. I'm not aware of a free way to check if certs are renewing.
I'd set a calendar event for 2 weeks before the current cert is set to renew and confirm that the renewals are happening as you wish.
Thanks, but I was thinking if there is some docker command to check the certificate auto-renewal that I could run or it's only by checking nginx logs and with websites like digicert.com?
You can run docker exec -it central-nginx-1 /scripts/run_certbot.sh to check the status of the cert.
You can also run docker exec -it central-nginx-1 /scripts/run_certbot.sh --force to force a renewal.
Using "force" will make new requests for your certificates, so don't run it too often since there are some limits to requesting production certificates.