Certification expiration notice for what I thought was an overwritten certificate

Today I received an email along these lines:

Your certificate (or certificates) for the names listed below will expire in 17 days
...
domain1.com
www.domain1.com

I had two certificates for two domains, and a few days later created a third one for both domains plus two sub-domains. The history is here: Command for wildcard subdomain when have two existing certificates.

Summary of that earlier topic

Initially I used sudo certbot --apache -d domain1.com -d www.domain1.com

Then later I used sudo certbot --apache -d domain2.com -d www.domain2.com

To add subdomains I used the sudo certbot --apache --cert-name domain1.com -d domain1.com,www.domain1.com,domain2.com, www.domain2.com,a.domain1.com,b.domain1.com

Certbot certificates now gives:

Found the following certs:
  Certificate Name: domain1.com
    Domains: domain1.com a.domain1.com b.domain1.com domain2 www.domain1.com www.domain2.com
    Expiry Date: 2021-10-15 05:00:00+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/.../fullchain.pem
    Private Key Path: /etc/letsencrypt/live/.../privkey.pem

I think the expiration notice email probably relates to an earlier certificate. Does that sound right?

Should I just ignore it, or take some step to rectify the records? Thanks.

Step #1: Read the notice thoroughly.
Step #2: Check your site for issued certs (like at: https://crt.sh/)
Step #3: Check your site for certs in use (like at: SSL Server Test (Powered by Qualys SSL Labs))

2 Likes

That's a really helpful answer, thanks. I've bookmarked it for the links.

The list of issued certificates at crt.sh shows the old one to which the email relates. Its "Matching identities" are a subset of the matching identities of the most recent certificate (i.e. the one that certbot certificates shows).

The ssllabs.com page also shows that most recent certificate.

I guess then that the old certificate will just wither on the vine, and if I ignore the email then any future reminders will just stop after the expiry date.

Thanks again.

2 Likes
2 Likes

That's also a really helpful post. I did see it before posting but the introduction made me think it might not have been applicable.

If you have received an expiration email for a certificate that you believe has already been renewed, you are in the right place.

By the time I searched the forum, I didn't think the certificate in question had been renewed (based on my incomplete understanding of the terms). I just thought the old certificate had been overwritten or deleted or otherwise was just dead, an ex-certificate.

1 Like

This polite, modern equivalent of RTFM was probably the most important step. The documentation at Expiration Emails - Let's Encrypt would have set my mind at rest if I'd read it all:

If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

4 Likes

I have been known to use too many words, too few words, and even accused of using all the wrong words... So, thank you for not taking it the wrong way :slight_smile:

Cheers from Miami :beers:

#FreeCuba

2 Likes

There are no ex-certificates just as there are no ex-marines. :slightly_smiling_face: Even a revoked certificate (discharged marine) continues to be a certificate (marine).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.