Constant renewal of certificates before expiration

[Vad1mo]

I am monitoring the issued certificates with https://developers.facebook.com/docs/certificate-transparency/

Recently I see that certs are reissues almost every day. However there aren't any suspicious log entries nor exceptions. This happens also to other domains of mine as well.

This is an excerpt for one domain of the last days.

Here is my config. The only difference to default is that I point to resolver 127.0.0.11 valid=120s ipv6=off; This also allows me to resolve Container names via domain name. However it works also for externals

dig @127.0.0.11 +short acme-v01.api.letsencrypt.org
api.letsencrypt.org-ng.edgekey.net.
e14990.dscx.akamaiedge.net.
104.123.22.170

nginx.conf

daemon off;

worker_processes  2;

error_log /dev/stdout info;

events {
  worker_connections 1024;
}

# Switch between staging and prod lets Encrypt.
env ACME_STAGE_ENVIRONMENT;  

http {
  include       /usr/local/openresty/nginx/conf/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" "$upstream_response_time"';

  access_log /dev/stdout;

  sendfile        on;

  keepalive_timeout  65;

  lua_shared_dict auto_ssl 1m;
  lua_shared_dict auto_ssl_settings 64k;

  # A DNS resolver must be defined for OSCP stapling to function.
  # resolver 1.1.1.1 ipv6=off;

  # Initial setup tasks.  
  init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()

    auto_ssl:set("allow_domain", function(domain)
      return true
    end)
    auto_ssl:set("dir", "/var/lib/certs")

    function selectDirectory()
      if os.getenv("ACME_STAGE_ENVIRONMENT") then 
        print ("Using Let's Encrypt Staging Environment ")
        return "https://acme-staging.api.letsencrypt.org/directory"
      else
        print ("Using Let's Encrypt Prod Environment ")
        return "https://acme-v01.api.letsencrypt.org/directory" 
      end               
    end

    auto_ssl:set("ca", selectDirectory())
    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

  # Internal server running on port 8999 for handling certificate tasks.
  server {
    listen 127.0.0.1:8999;

    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
  }

  gzip  on;
  gzip_http_version   1.1;
  gzip_vary       on;
  gzip_comp_level 9;
  gzip_proxied    any;
  gzip_types      text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss application/javascript text/javascript;
  gzip_buffers    16  8k;
  gzip_disable    "MSIE [1-6].(?!.*SV1)";

  resolver 127.0.0.11 valid=120s ipv6=off; 
  resolver_timeout 5s;

  include /etc/nginx/*.conf;

#
# Common Proxy settings
#
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
  # scheme used to connect to this server
  map $http_x_forwarded_proto $proxy_x_forwarded_proto {
    default $http_x_forwarded_proto;
    ''      $scheme;
  }

  # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
  # server port the client connected to
  map $http_x_forwarded_port $proxy_x_forwarded_port {
    default $http_x_forwarded_port;
    ''      $server_port;
  }

  # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
  # Connection header that may have been passed to this server
  map $http_upgrade $proxy_connection {
    default upgrade;
    '' close;
  }

  # Set appropriate X-Forwarded-Ssl header
  map $scheme $proxy_x_forwarded_ssl {
    default off;
    https on;
  }

  proxy_http_version 1.1;
  proxy_buffering off;
  proxy_request_buffering off;
  proxy_set_header Host $http_host;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $proxy_connection;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
  proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
  proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
  client_max_body_size 0;

}

[luto]

It seems like this is causing even multiple renews on a single day, which is interesting because the default check interval is 24 hours.

• certificate json files in /etc/resty-auto-ssl/storage/file/ (or var/lib/certs for you?) should contain an expiry-key. Can you check this timestamp against the actual expiry date of the certificate, also contained in the file or as displayed by your browser?
• the info log level you configured for you error log should provide logs on any renewals. You wrote that there are no suspicious entries, but are there any at all? Can you correlate the log entries of individual domains to timestamps from the transparency logs?

Sorry for the delayed initial response, but I hope that we're able to clear this up.