nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

Auto renew ssl cert

Open JS-E opened this issue 2 years ago • 5 comments

Describe the solution you'd like A button or toggle switch that sets up a cron job to renew an certificate a few days before ssl cert expiry

Describe alternatives you've considered I was going to set up my own one but i think it would be nice as an extra feature

JS-E avatar Sep 05 '22 18:09 JS-E

@JS-E as standard it does this, indeed you can't stop it as far as I know, if its not renewing for you, there is a bug currently that stops the renew if Force SSL is ticked, untick and it can renew, then retick the Force SSL.

the1ts avatar Sep 05 '22 23:09 the1ts

Okay, this isn't very clear when setting up an SSL cert. Would be cool if it was mentioned that it would auto renew and maybe give a date when it's planned to renew.

JS-E avatar Sep 06 '22 20:09 JS-E

From the main page on the homepage

Free SSL Built in Let’s Encrypt support allows you to secure your Web services at no cost to you. The certificates even renew themselves!

the1ts avatar Sep 06 '22 22:09 the1ts

@the1ts - Didn't see that, thanks for pointing that out. Could this perhaps be shown on the actual SSL page as i still don't know what day the SSL cert will actually renew.

JS-E avatar Sep 07 '22 18:09 JS-E

From my very amateur reading of the backend certificate code in NPM and the log files created, the renewal time isn't handled by NPM. NPM simply calls certbot on a 1 hour timer and certbot runs against all current certs, certbot tries a renew of the cert if certbots own renewal time has been met. I think the certbot renewal time is currently at 30 days before expiry. So you get a 90 day cert and after 60 days it will renew. The reason we use NPM and automated letsencrypt in general, is so we don't have to worry about renewal times any longer. Some of this is not much better than guess work, but you can see in the logs when you do a manual renewal, a single cert is attempted in the certbot commandline and certbot will complain about not ready for renewal without reaching out to letsencrypt, when its the hourly renewal no cert is pointed to and not ready for renewal messaging is seen again from certbot but for all known certs. Of note, I've not seen the automated, "your cert is about to expire" email that you get from letsencrypt at about 2 weeks to expiry since moving to NPM, but there is currently an issue around this which is waiting a new build so keep your container up to date. In short we are automating so we don't need to worry about when the cert is renewed. If you have to know when a cert is renewed for some cert pinning problem perhaps NPM and lets encrypt in general isn't the tool you need.

the1ts avatar Sep 08 '22 10:09 the1ts

After checking now and upgrading, i can see this automatically upgrading the cert so i'm happy to close

JS-E avatar Nov 08 '22 19:11 JS-E