Initially I used sudo certbot --apache -d domain1.com -d www.domain1.com
Then later I used sudo certbot --apache -d domain2.com -d www.domain2.com
To add subdomains I used the sudo certbot --apache --cert-name domain1.com -d domain1.com,www.domain1.com,domain2.com, www.domain2.com,a.domain1.com,b.domain1.com
Certbot certificates now gives:
Found the following certs:
Certificate Name: domain1.com
Domains: domain1.com a.domain1.com b.domain1.com domain2 www.domain1.com www.domain2.com
Expiry Date: 2021-10-15 05:00:00+00:00 (VALID: 78 days)
Certificate Path: /etc/letsencrypt/live/.../fullchain.pem
Private Key Path: /etc/letsencrypt/live/.../privkey.pem
I think the expiration notice email probably relates to an earlier certificate. Does that sound right?
Should I just ignore it, or take some step to rectify the records? Thanks.
That's a really helpful answer, thanks. I've bookmarked it for the links.
The list of issued certificates at crt.sh shows the old one to which the email relates. Its "Matching identities" are a subset of the matching identities of the most recent certificate (i.e. the one that certbot certificates shows).
The ssllabs.com page also shows that most recent certificate.
I guess then that the old certificate will just wither on the vine, and if I ignore the email then any future reminders will just stop after the expiry date.
That's also a really helpful post. I did see it before posting but the introduction made me think it might not have been applicable.
If you have received an expiration email for a certificate that you believe has already been renewed, you are in the right place.
By the time I searched the forum, I didn't think the certificate in question had been renewed (based on my incomplete understanding of the terms). I just thought the old certificate had been overwritten or deleted or otherwise was just dead, an ex-certificate.
This polite, modern equivalent of RTFM was probably the most important step. The documentation at Expiration Emails - Let's Encrypt would have set my mind at rest if I'd read it all:
If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.