Managed certificate expires in less than 60 hours

The certificate served at, managed as part of the “filippo” app, expires on Nov 14 23:24:03 2022 GMT, which is awfully close.

Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 16 23:24:04 2022 GMT; NotAfter: Nov 14 23:24:03 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT

flyctl certs says that everything is ok with that certificate.

The certificate for has been issued.

Hostname                  =

DNS Provider              = aws

Certificate Authority     = Let's Encrypt

Issued                    = rsa,ecdsa,rsa,ecdsa

Added to App              = 6 months ago

Source                    = fly

The DNS record points to the app.

$ dig +short
$ dig +short

It doesn’t look like a new one has been issued yet at all: |

This looks related to Certificate hasn't auto-renewed and will expire in 11 days and I have also noticed alerts for other certificates over time, but never this close.

Besides generating alerts in my certificate monitoring system, cutting renewals so close is dangerous in case Let’s Encrypt was to have an outage. Is everything working as intended?

1 Like

Looks like they were just generated. Likely due to triggering a manual check by running flyctl certs.

I’m working on this now, trying to figure out what’s happening.

1 Like

I have found the issue and am implementing a fix.


This is now fixed and automatic renewal will work next time. Very sorry about that.

Looking into adding monitoring and alerting around this issue. It was silently failing.


Awesome, thank you for the quick turnaround!