(command+output provided) Let's Encrypt certificate expiration notice for domain "www.XXXX.com"

I purchased a domain on 2023-07-07 on Gandi. On 2023-09-15 I received a first expiration email, then a second one on 2023-09-28 (6 days ago) warning me the certificates will expire:

Hello,

Your certificate (or certificates) for the names listed below will expire in 19 days (on 2023-10-05). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

I have two domains, ????.com and www.????.com, and received emails for both domains.

My renewal is setup as a cron job which just runs the following command.

certbot renew --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory --cert-name www.****.com

where gandi.ini holds my dns_gandi_api_key value.

I am surprised I received emails, anyway I decided to run the command manually today.

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.????.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/www.????.com/fullchain.pem expires on 2024-01-02 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Linux Debian

My hosting provider, if applicable, is: Gandi

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): on Gandi, I can manage my domain through a control panel. Otherwise I have admin access to the Apache web server and host.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0. I set it up myself via a Python venv installed with:

python3 -m pip install acme==1.32.0 certbot==1.32.0 certbot-apache==1.32.0 certbot-plugin-gandi

Using Python 3.9.2.
The venv in which certbot is is activated through 'source activate' before running the cerbot renew command (I am familiar with Python development).

When going to crt.sh, the most recent entry related to my domain is dated 2023-07-08, and mentions something with ZeroSSL. Two previous entries relate to Let's encrypt.

As a possible explanation for the email, I might have created a certificate twice on 2023-07-07 (I unfortunately don't remember very well). I mean, instead of creating a single certificate then renewing it, I might have created one, then another one. In this case, I presume the first (dumped) certificate has never been renewed and may therefore trigger the emails I am receiving?

Or is there something perhaps more worrying?

Thanks for your help.

Please don't use a domain name that you don't own and that is registered [to someone else].

3 Likes

I have edited my message and replaced with ????.com

The "default" is:
example.com
But ????.com would make the same point.

2 Likes

What shows?:
certbot certificates

And welcome to the LE community forum :slight_smile:

3 Likes

It shows:

Found the following certs:
  Certificate Name: ????.com
    Serial Number: XXXXXXXX
    Key Type: RSA
    Domains: ????.com
    Expiry Date: 2024-01-02 14:57:22+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/????.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/????.com/privkey.pem
  Certificate Name: www.????.com
    Serial Number: YYYYYYYY
    Key Type: RSA
    Domains: www.????.com
    Expiry Date: 2024-01-02 14:57:42+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.????.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.????.com/privkey.pem

They look good to me.
Ensure that you are using those certs and you should be fine.
If you [re]read the email sent.
You may better understand why you have received it.
[and how to check what certs have been issued]

Pay close attention to where it says something about/roughly like "if a name was added or removed it is considered to be another cert".

3 Likes

Thanks for your help. You are absolutely right, this text appears in the email. I unfortunately only just 10 minutes ago recalled that I may have run the generation process twice.
Again, thank you, and have a great day.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.