Changing A Certificate Before Renewal Means Original Certificates Still Get Reminders

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
sudo su
/root/certbot/certbot-auto renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ (skipped)
No renewals were attempted.

My operating system is (include version):
Ubuntu 14.04.2 LTS

My web server is (include version):
nginx/1.4.6 (Ubuntu)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

This might not be a problem at all, just want to be sure it will renew.
I have the following cronjob running as root
17 5 * * * /root/certbot/certbot-auto renew
17 17 * * * /root/certbot/certbot-auto renew

Also in the expiration notice emails it says my cert will expire april 26th, while sites like sslshopper says that it will expire May 2nd.

My log file

2017-04-20 09:24:30,810:DEBUG:certbot.log:Root logging level set at 20
2017-04-20 09:24:30,810:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-04-20 09:24:30,810:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-20 09:24:30,811:DEBUG:certbot.main:Arguments: []
2017-04-20 09:24:30,811:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-04-20 09:24:30,820:INFO:certbot.renewal:Cert not yet due for renewal
2017-04-20 09:24:30,820:DEBUG:certbot.renewal:no renewal failures

The Let’s Encrypt renewal reminder e-mail service will check if the certificate in question is renewed with exactly the same set of hostnames.

So if you changed something along the way, i.e., add or remove a hostname, the e-mail service will remind you the previous certificate is almost expired, but doesn’t “know” about the new certificate. (Because the full set of hostnames doesn’t correspond with each other.)

If you made such a change and you are satisfied the current certificate works properly (and the set of hostnames of the old certificate isn’t up to date with your current setup), you can just ignore the e-mails.


Thanks for fast reply!

There have not been any changes that i am aware of. Is there a way to check if i have 2 active certs?

Recent versions of certbot have a command to check the active certificate “lineages”: certbot certificates

This would also list the hostnames in the certificates, so you can check if they correspond (or differ) with the hostnames from the e-mail.

You can also check for all issued certificates for your domain. Looks like you’ve got quite a few certificates for the base domain, including subdomains. :slight_smile:

The e-mail you received was probably for the #80649730 certificate. If you compare the list of hostnames of that with those of #83113568, it seems you have added the PHPMyAdmin hostname, which is absent from the first cert I mentioned. And your most recent certificate is exactly the same as the cert I mentioned second. The second mentioned cert therefore wouldn’t trigger an e-mail reminder, but the first certificate would.

Could that be the case?


hi @RobinPerido

@Osiris is right as to the root cause of the emails

When you run commands such as renew or expand you are not altering the initial certificate. You are in fact creating a new certificate.

Each certificate has a serial number and you can verify that. Certbot and other Clients do a good job of replacing the certificates and updating the symlinks however technically you still have 2 or more certificate issued for that domain. This catches a lot of people out.

The other one that people get caught out on is that the certificates are issued but the installer doesn't work so they issue 5 valid certificates on the same day.

Review the end of this discussion for a bit more of an explanation


1 Like

That looks like it could very well be why it looked so wierd :slight_smile:
Thanks for helping me clear things up.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.