Confusion re two similar certs, one expiring

Help
1

My domain is: enfeedia.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

THIS SIMPLE QUESTION NEEDS URGENT ATTENTION

I get emails showing that cert for enfeedia.com will expire on 6 days. Email titled
Let's Encrypt certificate expiration notice for domain "enfeedia.com" (and 13 more)

But when I run cerbot renew --dry-run, it displays:

Processing /etc/letsencrypt/renewal/enfeedia.com-0001.conf
Cert is due for renewal, auto-renewing...

(Notice enfeedia-0001.com above)

And it finishes like this:
*Congratulations, all simulated renewals succeeded: *

  • /etc/letsencrypt/live/enfeedia.com-0001/fullchain.pem (success)*

I think that means all is fine, but I don't think enfeedia.com-0001 is due for renewal. The email title states expiration will take place and running certbot renew will take care of renewal. Note that enfeedia.com-0001 entirely replaces enfeedia.com.

I'm confused in that the display of progress says "due for renewal" and cites enfeedia.com-0001 being renewed.

EACH TIME I RUN CERTBOT RENEW, IT SAYS CERT IS DUE FOR RENEWAL, SPECIFYING ENFEEDIA.COM-0001 IN THE RESULTS. IS IT NOT GETTING RENEWED?

Am I safe that enfeedia.com-0001 will remain in place after enfeedia.com expires? The email alert I received seems to say not-to-worry in the case a more recent cert has more or fewer names, but says nothing if the number of names is the same.

I will appreciate immediate reply to this question.

3

It looks like a new cert was issued today:
crt.sh | enfeedia.com

Just seeing "-0001" in the post, tells me that you've made renewal requests that have changed/overlapped domains [within that same cert name].
Something certbot doesn't do on its' own.
So... this is likely something that was caused by your own actions.

Please show the output of:
certbot certificates

There is only one level of urgency here.
You either need help OR you don't.
Adding that makes me want to look the other way :frowning:

How exactly will your appreciation be any more/different?
I mean, this is a FREE community support channel...
And I think all that get help here appreciate it equally.

My point is adding your urgency to your request does nothing to motivate anyone into stopping their lives to help you out of your problem [immediately].

5 Likes
4

...but not sufficiently urgent attention for you to read the documentation page linked in those expiration emails, apparently. Because if you had, it's unlikely you'd have posted this topic--or at least, you'd have explained how the cert with the name of enfeedia.com-0001 differs from the previous cert named enfeedia.com.

The --dry-run always says the cert is due for renewal, and then proceeds to simulate trying to renew it.

5 Likes
5

Sorry, I treated this as emergency because of concern that in five days from today, the certs will expire with nasty results.

I do appreciate your reply and I do read documentation. I found nothing, including the document you referred me to, that answers my question. I saw your comment at bottom of your post; very helpful. I guess I always thought dry run would indicate if the cert is due or not due for renewal.

TODAY, doing the renewal, not dry-run, this appeared:
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/enfeedia.com-0001/fullchain.pem expires on 2023-10-14 (skipped)
No renewals were attempted.

I now assume all is well, and unless there's something you want to point out, we're done here. Again, genuine thank you.

1 Like
6

You can check the certs you have with:

4 Likes
7

Ooops, forgot to post it here. Looks great, shows the one cert I expected and with the expected next renewal date.

Found the following certs:
  Certificate Name: enfeedia.com-0001
    Serial Number: *(deleted, not knowing if showing it here is safe)*
    Key Type: RSA
    Domains: enfeedia.com keligo.com llgorman.com packetstacks.com saddlebrookeranch.org sme62.org storiesofpetsbypetsforpets.com www.enfeedia.com www.keligo.com www.llgorman.com www.packetstacks.com www.saddlebrookeranch.org www.sme62.org www.storiesofpetsbypetsforpets.com
    Expiry Date: 2023-10-14 20:31:37+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/enfeedia.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/enfeedia.com-0001/privkey.pem
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.