Cert certificate expired warning

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: stageplays.com

I ran this command:

It produced this output:

My web server is (include version): DV w/SSDs (CentOS 7)

The operating system my web server runs on is (include version): (CentOS 7) (I think)

My hosting provider, if applicable, is: Media Temple

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

The cert for stageplays.com looks fine to me - SSL Decoder test site

You have gotten various certs using a different combination of names. Are you concerned about an email you got for a cert you are no longer using?

2 Likes

Hello - thanks for your help in advance.

My Father passed away at the start of the year and I'm helping run his business in his absence.

I woke to an email this morning saying that our Let's Encrypt certs would expire on July 4th.

These have always auto-renewed for us in the past. When I login to Media Temple it says the certs are valid to the start of September. There was an issue two weeks ago in which Media Temple randomly dropped the cert for www.stageplays.com which I wonder might be connected.

Can someone please provide advice on what I should do? I'm not technical I'm afraid. We'd like the Certs to continue to autorenew.

Thank you so much.

Dan

2 Likes

Perhaps my update crossed with your post.

Your current cert has 6 domain names in it including your www subdomain. It looks fine (see link in my prior post).

You have gotten certs in the past with different combinations of names. To Let's Encrypt those look like different certs. The emails warn they are expiring but it is up to you to know whether that is important. Try re-reading that email again now with this better description and maybe it will make more sense.

My prior (updated) post also linked to a site showing your cert history. Try matching the history with your email. I think you'll find you are no longer using that cert.

3 Likes

Hi Mike - thank you so much for your help. And yes, looks like we cross posted!

The email from Let's Encrypt is for our most important certs:

stageplays.co.uk
stageplays.com
www.stageplays.co.uk
www.stageplays.com

I've also included the top half of the email I got incase that's helpful.

Hello,

Your certificate (or certificates) for the names listed below will expire in 16 days (on 04 Jul 22 04:57 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

stageplays.co.uk
stageplays.com
www.stageplays.co.uk
www.stageplays.com

1 Like

Yes, the cert with exactly those 4 names expires in 16 days. See the history link I provided.

But, your server is currently sending out the cert created a couple weeks ago and has 6 domain names in it.

So, you are not using that cert with just 4 names anymore. The email is just a friendly reminder about that older cert which you can ignore.

I don't know how else to explain this. In any event, it sounds like your hosting company manages your certs since you said they dropped the www domain recently. You will need to work with them to ensure they are renewed correctly.

PS: I am sorry for your loss

3 Likes

Hi Mike -

Thank you so much for your kind words and support.

Just to repeat back from you what I understand.

The old cert ending in F71218 will expire in 16 days. We can be relaxed about this as it is no longer needed.

Instead, the new cert B5BDC1 is covering these domains and is the "in use" cert - meaning we'll need to check it gets automatically renewed in 8 weeks or so. We'll check with Media Temple then.

In either case, no action is required to keep the site secure.

Is that correct?

Thank you!

4 Likes

Yes, correct. I recommend using the SSL Decoder test site to see what your server is actually sending out. Browsers can also show the certs but they sometimes do funny things with their info displays. And, any new cert will show in the cert history site I linked. Your server should show the latest one created. Ask Media Temple about any oddities.

The LE staff is open to improving the emails. You are not the first to be worried. If you have any suggestions for better wording please let us know and I'll be sure to forward it to staff. Thanks

3 Likes