Conflicting notices of SSL certificate expiry, up for renewel


#1

Hi there,

I received an email last month, and then again this month, to tell me that my certificate expires for a specific domain on a certain date (actually a few days from now). However, when I check my actual server and do some checks via SSH, it says that my certificate for that domain still has much longer before expiring.

Which is correct? Why would I get emails telling me different than my server?

Thanks,

Andrew


#2

Hi @AArkwell

it would be helpful if you would share your domain name.

The mail is created if you have a certificate with a set of domain names which isn’t renewed.

So: If you first create a certificate A with www.example.com, later create a certificate B with www.example.com + example.com + blog.example.com and you use this certificate B:

So you don’t renew certificate A, because you don’t use it.

Then you get a mail that A expires. 20 days before and 10 days before.

So ignore the mail.


#3

Ah gotcha, hmm.

The domain in question is https://freedomlending.ca/

The email says the domain actually expires today: “Your certificate (or certificates) for the names listed below will expire in 10 days (on 18 Sep 18 20:27 +0000)…freedomlending.ca”

But then when I check my server with “sudo certbot certificates” I get: “Found the following certs:
Certificate Name: freedomlending.ca
Domains: freedomlending.ca www.freedomlending.ca
Expiry Date: 2018-12-02 23:33:52+00:00 (VALID: 75 days)”

So, I’m not really sure!


#4

There is a certificate with two names:

DNS-Name: freedomlending.ca
DNS-Name: www.freedomlending.ca

valid 2018-12-02.

But today

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:freedomlending.ca;issuer_uid:4428624498008853827&lu=cert_search

ends a certificate with one name freedomlending.ca:

https://transparencyreport.google.com/https/certificates/hj01u%2BfZBRlHTABD8Aq64e5Cib2t1UJ8CbxmdVrdJZ0%3D

So you don’t need and use this one-name-certificate, so you can ignore the mail.


#5

OK thank you! I will use that site in the future to check.

Andrew


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.