Is the LetsEncrypt Certificate renewal on daily basis by the ACME Client/Container on purpose ?
If yes can this be changed? Think there is no need to do it daily.

tnx.

  • boppy

    your comment might have brought some light into the dark🙂
    Initially i just checked the logs in the UI. after checking the actual logs via console i saw that the ACME client is creating certs also based on FQDN’s found in the DNS.
    And those were missing in the mailcow.conf -> “ADDITIONAL_SAN=” .
    Maybe that confuses the ACME client.
    Added them now to the config and i’ll see soon.
    I’ll report back if that was the “issue”.

    Yes this is how the ACME Client works. It does not renew though, it just checks daily.

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    Checking would be perfectly fine. but as you can see below it does really renew. I can see it also when i check the cert.
    Interesting thing is this started on the 15th again, but it did that already a couple of weeks ago.

    18.11.2023, 18:15:23 mydomain.com - Certificates were successfully renewed where required, sleeping for another day.
    18.11.2023, 18:15:00 mydomain.com - Certificate successfully obtained
    17.11.2023, 18:14:08 mydomain.com - Certificates were successfully renewed where required, sleeping for another day.
    17.11.2023, 18:13:47 mydomain.com - Certificate successfully obtained
    16.11.2023, 18:13:03 mydomain.com - Certificates were successfully renewed where required, sleeping for another day.
    16.11.2023, 18:12:43 mydomain.com - Certificate successfully obtained
    15.11.2023, 18:11:56 mydomain.com - Certificates were successfully renewed where required, sleeping for another day.
    15.11.2023, 18:11:07 mydomain.com - Certificate successfully obtained

    tnx.

      piperino Certificates were successfully renewed where required,

      I guess its not renewed. If it would be so, you would see each day a different validity date of the certificate.

        and thats the case. validity dates changing.
        Issued On Saturday, November 18, 2023 at 5:14:57 PM
        Expires On Friday, February 16, 2024 at 5:14:56 PM

        If you change somthing like adding domains/SAN etc, it will renew the certificate.
        Other than that I don’t know, I am not using the inbuilt ACME container.

          esackbauer
          yes, i’ve seen that, which makes perfectly sense.
          but changed nothing lately.
          Just thought anybody out there seeing the same behavior and already have an idea why this “force” renewal happens randomly.

            Not that it actually helps much, but I am using the built in ACME-Container and do not have the same problem:

            mail-acme-mailcow-1  | Thu Nov 16 15:08:49 CET 2023 - Using existing domain rsa key /var/lib/acme/acme/key.pem
mail-acme-mailcow-1  | Thu Nov 16 15:08:49 CET 2023 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
mail-acme-mailcow-1  | Thu Nov 16 15:08:49 CET 2023 - Detecting IP addresses...
mail-acme-mailcow-1  | Thu Nov 16 15:08:49 CET 2023 - OK: 65.108.x.y, 2a01:4f9:x:y::1
mail-acme-mailcow-1  | Thu Nov 16 15:08:50 CET 2023 - Validated CAA for parent domain example.com
mail-acme-mailcow-1  | Thu Nov 16 15:08:50 CET 2023 - Found AAAA record for mail.example.com: 2a01:4f9:x:y::1 - skipping A record check
mail-acme-mailcow-1  | Thu Nov 16 15:08:50 CET 2023 - Confirmed AAAA record with IP 2a01:04f9:x:y:0000:0000:0000:0001
mail-acme-mailcow-1  | Thu Nov 16 15:08:50 CET 2023 - Certificate /var/lib/acme/mail.example.com/cert.pem validation done, neither changed nor due for renewal.
mail-acme-mailcow-1  | Thu Nov 16 15:08:50 CET 2023 - Certificates were successfully validated, no changes or renewals required, sleeping for another day.

            But: The log output on my instance does not once show a domain after the timestamp. I assume that I’m on an old version of the acme container. My installation is up-to-date, but the first installation took place in Aug. 2022 - since my backup-and-restore-script also differs from the current one in the git, there might also be a difference in the acme container…

              boppy

              your comment might have brought some light into the dark🙂
              Initially i just checked the logs in the UI. after checking the actual logs via console i saw that the ACME client is creating certs also based on FQDN’s found in the DNS.
              And those were missing in the mailcow.conf -> “ADDITIONAL_SAN=” .
              Maybe that confuses the ACME client.
              Added them now to the config and i’ll see soon.
              I’ll report back if that was the “issue”.

                No one is typing