Every three'ish months I get a nice email reminder from the Expiry Bot that my domain needs to be renewed. However, I just received the notice "will expire in 9 days (on 18 Mar 21 16:00 +0000)" and I have already renewed my domain cert almost a month ago?! So I'd like to ask if there is any way to find what is causing this to be generated.
Now, back in January I found, and disabled, and old Windows test server that we had been using to test creating certs and automated renewals. I shut that down and disabled the task back then. I'm wondering if there is yet another "test" certificate on another server somewhere that I don't remember...
Obviously something is still causing the Let's Encrypt monitoring system to see an old cert. I need to find out what it is looking at so I can disable/fix the issue on my servers. Any ideas where to look?
Well, you could look at certificate transparency logs to see all the certificates issued for your domain. https://crt.sh is a popular view into the logs but I believe there are others.
Might it be that you changed the hostnames on a certificate (either adding or removing one or more names)? Doing so means that it's a "different" certificate, so you'd get reminder emails on the old one even though the new one has all the names you want on it and there really isn't a problem.
If you post your domain names somebody in the community here might be able to help you look at the issued certificates and whether they look to be installed properly (assuming the systems are publicly accessible).
Further to what @petercooperjr said, there's no "monitoring" from the Let's Encrypt CA to generate these notices, it's just based on its own records of which certificates have been issued, and whether exactly matching certificates have been issued subsequently. So if you make a change that adds or removes names relative to a previously-issued certificate, Let's Encrypt doesn't try to check whether you're using the new certificate in place of the old one, it just warns you that you haven't obtained an exact replacement for the old one. (But that might be perfectly fine!)
My automated process for cert renewal basically runs the LE64.exe client with these switches: " --renew 16 --unlink --issue-code 100 --live" however it seems to get run twice each time the task launches. I'm at a loss to understand why, but crt.sh shows a history of two different certs assigned to the same domains on the same day every three months.
I have the task scheduled to run once every Friday. I'm thinking that since I pass in "16" (days) it is actually renewing the cert each week the task runs? I don't remember what the limits are for how the CA decides to renew or not: does it renew whenever I tell it to? Or is it limited to renew only if the expiration date is within a certain number of days?
Anyway, that is my best guess so far for what is happening and why. The problem is now how do I make it only renew once each time? Hmmm...
I'm afraid I may have misled you a bit in pointing to crt.sh without explaining it better; each certificate will show up in the list there twice, once as a "Precertificate" before the cert is actually issued and once as a "Leaf Certificate" of the actual certificate that was issued. So it's likely that your renewal is only happening the once when you're expecting it to.
Look at the dates for the certificates being issued and the ones about to expire to make sure that the ones you're expecting to be renewed are in fact being so.
If you give your domain name, and the full text of the email you got, people here may be able to help you decipher exactly what's happening.