search

natemcmaster / LettuceEncrypt

Free, automatic HTTPS certificate generation for ASP.NET Core web apps
https://nuget.org/packages/LettuceEncrypt
Apache License 2.0
1.55k stars 153 forks source link

"Certificate [...] already found" on ignored Certificat #213

Closed drewek-smf closed 1 year ago

drewek-smf commented 2 years ago

Hi

I'm pretty sure it's not a bug in the lib, but rather something on my side, I just can't figure out.

I'm using LettuceEncrypt (1.1.0-beta-73) and implemented GetCertificatesAsync from ICertificateSource in my DB Context. There, I read the DB for an existing Certificate (it's single domain):

So long, this works fine. Including a renewal of the found Certificate, if it's expired.

But I want to renew a Certificate earlier than actual expiry. So if I find a Certificate, I check its NotAfter-Property, and if it remains active for less than 30 days, I just write a debug message and omit the Certificate, hence returning an empty List. The issue now is, that for such a use case I can see my debug message, but the following log line says "Certificate for XYZ already found" - this comes from LettuceEncrypt.Internal.AcmeStates.MoveNext(). Opening the Web Page again, my Browser still shows the old Certificate, as still valid (it IS valid, but I did return an empty list, omitted this Certificate). Opening the page in other Browsers which I did not use for some time, they still show the old valid Certificate. BUT - some users are using CLI Requests (such as cURL) to query my APIs, and they get errors regarding SSL.

What I currently do in this case is: Alter the Server Date (+1 month) and restart my app, so the Certificate is apparently expired. This works, and LettuceEncrypt refreshes it regularly. All Browsers and CLI Clients stop complaining

What am I doing wrong..?

Regards, Michael

drewek-smf commented 2 years ago

One more thing: I now changed the Domain Name in the DB for the existing Certificate (which expires in a few days) by appending an X. My app therefore did not find a matching Certificate on startup, but the log still contains the "Certificate already found" message...? Where does it find it??

natemcmaster commented 2 years ago

So first of all

But I want to renew a Certificate earlier than actual expiry.

Did you try using this? The default is that renewal occurs 30 days before expiration, but you can adjust this higher if you want.

https://github.com/natemcmaster/LettuceEncrypt/blob/76a240de31cd9605c3c28ae75335a1305c8b33f0/src/LettuceEncrypt/LettuceEncryptOptions.cs#L64

but the log still contains the "Certificate already found" message...? Where does it find it??

It's really hard to say without steps to reproduce the same situation, sorry.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

github-actions[bot] commented 1 year ago

Closing due to inactivity. If you are looking at this issue in the future and think it should be reopened, please make a commented here and mention natemcmaster so he sees the notification.