Certbot not sending expiry reminders

Hi, I have letsencrypt certificates obtained and installed on multiple servers. Everything had been working fine until recently we changed our email address connected to certbot account.
Since then I haven't received any mails about upcoming certificate expiry resulting in expiry of two of my certs, because of my renewal service malfunction.
Please let me know what further actions I need to take to solve the issue.

I ran command:
sudo certbot update_account --email myemailaddress@example.com
and it seemed to end with success, because after I checked account info it returned that my email contact is set to my new email address.

My domain is:
orplast.saly.pl

The operating system my web server runs on is (include version):
Debian GNU/Linux 10

My web server is (include version):
Server version: Apache/2.4.38 (Debian)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.28.0

Hi @k.kusik, and welcome to the LE community forum :slight_smile:

Based on the domain provided, I don't see why an expiry email should have been sent (yet):
crt.sh | orplast.saly.pl

Were you expecting one?
Are you referring to some other cert/FQDN?

2 Likes

@rg305 sorry for confusing you, orplast.saly.pl is just one of my domains. The actual one that needed the notification was eub2b.pard.com, because its certificate expired 3 days ago without prior warning.

1 Like

@k.kusik Yes, Let's Encrypt sends the emails on a "best efforts" basis. They don't recommend relying solely on those emails to alert of pending expiration. See their documentation about that.

I don't see anything obviously wrong with eub2b.pard.com. What is the error shown by:

sudo certbot renew --dry-run
3 Likes

@k.kusik Are you perhaps reusing an email address you've previously used for ACME accounts and perhaps clicked on the link in an expiry email so you wouldn't get new mails (for a year)?

3 Likes

Also if you are filtering emails using a spam assassin style filter you might never get certain emails because they will likely come from a bulk sender IP, like Mandrill. You should check your logs.

3 Likes

@MikeMcQ
That's my output:


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/eub2b.pard.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for eub2b.pard.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/eub2b.pard.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

@Osiris No, I have never used this email address before, it was created a few weeks ago and then registered to letsencrypt account in place of the old address.

That's good. Your cert should have renewed in early May. You should now check that your system schedules the renew command to run. This topic explains how to check that and set it up if it has not been.

https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals

2 Likes