What happens around renewal time


Running CTW on my IIS
I noticed an issue with the SSL cert when it would of renewed.
I just happened to view my site on my phone and got an SSL warning when loading the site saying it was invalid.
I was on my short lunch break at the time so thought I would look at it properly when I got home after work.

When I got home the cert was fine and had renewed OK.

So had I just happen to view my site on my phone at the exact moment CTW had deleted the old cert and just before the new cert was in place?

Is there a way to renew the cert say the day before expiry to avoid this problem or is there a totally different problem.

The setting for Auto Renewal Interval(Days) is at 30. Is this correct?

Thanks for reading

I can’t think of a simple explanation for what you saw.

The normal expiration is 90 days for Let’s Encrypt. So you should always have 60-90 days left on your certificate when running Certify at those settings. If Certify encounters an unrecoverable error, or just isn’t running for some reason, Let’s Encrypt will start sending you emails a week in advance of the expiration.

The old certificate is not deleted before the switchover… but I can’t say I know how Certify kicks IIS into replacing the certificate. Work process recycling is pretty smooth on IIS in my experience but maybe it takes more than that to change certificates. Primarily I don’t use Certify with IIS, so I don’t scrutinize that process.

Hmm, interesting! I haven’t seen this before but there is an outside chance bindings were in a mixed state (there’s a bunch of gotchas if you ever use IP specific SSL bindings, instead of SNI, for instance).

When Certify renews a cert it first fetches the new certificate and stores it, it then updates your website bindings to use the new certificate thumbprint. By default your old certificate is kept in the store until well after it has expired. The changeover process is normally sub-second, unless a binding commit conflict occurs in which case we back off for a few seconds and try again, this can happen if you have many websites or many bindings to update as committing the IIS config takes longer.

Our max renewal interval is 60 days so there is no way you would approach expiry under normal conditions unless renewal was already failing (which your log file will tell you), before that time you will as @jljtgr says get notifications from both Let’s Encrypt and via the Certify API (enabled by default). 30 days auto renewal means we once your certificate is 30 days old we will start attempting the renewal again.

Here is a little update.

It’s is actually working fine.

It would appear to be the crap regulated (Vodafone) WiFi that is installed at the supermarket where I work.

Virtually every https site you visit using this WiFi tells us the SSL certs are all bad and expired and blocks many many domains as well, for example you can pick up Gmail but any other Google service is blocked (like Google Docs and Sheets etc).

So it’s not CTW.

Weird! Some access points act as proxies and some even replace the certificate with their own, so it may just be a software issue there.

When I was at work today, I tried getting to my site and got the message again, so I took some screenshots off my iphone and attached to show.

Essentially what is happening is a “sanctioned” man-in-the-middle attack on your HTTPS connection. Your WiFi or whatever is using this Zscaler company to intercept, decrypt, inspect and re-encrypt your HTTPS traffic.

Of course Zscaler cannot impersonate your original certificate and your phone does not trust Zscaler, so you get warned. Any unsuccessful man-in-the-middle attack would look like this.