LettuceEncrypt icon indicating copy to clipboard operation
LettuceEncrypt copied to clipboard

Published 20 hours ago verified publisher icon natemcmaster

"Certificate [...] already found" on ignored Certificat

Open drewek-smf opened this issue 4 years ago • 2 comments

Hi

I'm pretty sure it's not a bug in the lib, but rather something on my side, I just can't figure out.

I'm using LettuceEncrypt (1.1.0-beta-73) and implemented GetCertificatesAsync from ICertificateSource in my DB Context. There, I read the DB for an existing Certificate (it's single domain):

  • If not found at all, I return an empty List<X509Certificate2>
  • If found, I return the list with this Certificate as new X509Certificate2(Convert.FromBase64String(...))

So long, this works fine. Including a renewal of the found Certificate, if it's expired.

But I want to renew a Certificate earlier than actual expiry. So if I find a Certificate, I check its NotAfter-Property, and if it remains active for less than 30 days, I just write a debug message and omit the Certificate, hence returning an empty List<X509Certificate2>. The issue now is, that for such a use case I can see my debug message, but the following log line says "Certificate for XYZ already found" - this comes from LettuceEncrypt.Internal.AcmeStates.MoveNext(). Opening the Web Page again, my Browser still shows the old Certificate, as still valid (it IS valid, but I did return an empty list, omitted this Certificate). Opening the page in other Browsers which I did not use for some time, they still show the old valid Certificate. BUT - some users are using CLI Requests (such as cURL) to query my APIs, and they get errors regarding SSL.

What I currently do in this case is: Alter the Server Date (+1 month) and restart my app, so the Certificate is apparently expired. This works, and LettuceEncrypt refreshes it regularly. All Browsers and CLI Clients stop complaining

What am I doing wrong..?

Regards, Michael

drewek-smf avatar Aug 27 '21 06:08 drewek-smf

One more thing: I now changed the Domain Name in the DB for the existing Certificate (which expires in a few days) by appending an X. My app therefore did not find a matching Certificate on startup, but the log still contains the "Certificate already found" message...? Where does it find it??

drewek-smf avatar Aug 27 '21 07:08 drewek-smf

So first of all

But I want to renew a Certificate earlier than actual expiry.

Did you try using this? The default is that renewal occurs 30 days before expiration, but you can adjust this higher if you want.

https://github.com/natemcmaster/LettuceEncrypt/blob/76a240de31cd9605c3c28ae75335a1305c8b33f0/src/LettuceEncrypt/LettuceEncryptOptions.cs#L64

but the log still contains the "Certificate already found" message...? Where does it find it??

It's really hard to say without steps to reproduce the same situation, sorry.

natemcmaster avatar Oct 22 '21 02:10 natemcmaster

This issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

github-actions[bot] avatar Oct 23 '22 02:10 github-actions[bot]

Closing due to inactivity. If you are looking at this issue in the future and think it should be reopened, please make a commented here and mention natemcmaster so he sees the notification.

github-actions[bot] avatar Nov 07 '22 02:11 github-actions[bot]