Confusion re two similar certs, one expiring

k44g · July 16, 2023, 9:34pm

My domain is: enfeedia.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

THIS SIMPLE QUESTION NEEDS URGENT ATTENTION

I get emails showing that cert for enfeedia.com will expire on 6 days. Email titled
Let's Encrypt certificate expiration notice for domain "enfeedia.com" (and 13 more)

But when I run cerbot renew --dry-run, it displays:

Processing /etc/letsencrypt/renewal/enfeedia.com-0001.conf
Cert is due for renewal, auto-renewing...

(Notice enfeedia-0001.com above)

And it finishes like this:
*Congratulations, all simulated renewals succeeded: *

/etc/letsencrypt/live/enfeedia.com-0001/fullchain.pem (success)*

I think that means all is fine, but I don't think enfeedia.com-0001 is due for renewal. The email title states expiration will take place and running certbot renew will take care of renewal. Note that enfeedia.com-0001 entirely replaces enfeedia.com.

I'm confused in that the display of progress says "due for renewal" and cites enfeedia.com-0001 being renewed.

EACH TIME I RUN CERTBOT RENEW, IT SAYS CERT IS DUE FOR RENEWAL, SPECIFYING ENFEEDIA.COM-0001 IN THE RESULTS. IS IT NOT GETTING RENEWED?

Am I safe that enfeedia.com-0001 will remain in place after enfeedia.com expires? The email alert I received seems to say not-to-worry in the case a more recent cert has more or fewer names, but says nothing if the number of names is the same.

I will appreciate immediate reply to this question.

rg305 · July 16, 2023, 10:21pm

It looks like a new cert was issued today:
crt.sh | enfeedia.com

Just seeing "-0001" in the post, tells me that you've made renewal requests that have changed/overlapped domains [within that same cert name].
Something certbot doesn't do on its' own.
So... this is likely something that was caused by your own actions.

Please show the output of:
certbot certificates

There is only one level of urgency here.
You either need help OR you don't.
Adding that makes me want to look the other way

How exactly will your appreciation be any more/different?
I mean, this is a FREE community support channel...
And I think all that get help here appreciate it equally.

My point is adding your urgency to your request does nothing to motivate anyone into stopping their lives to help you out of your problem [immediately].

danb35 · July 16, 2023, 11:31pm

...but not sufficiently urgent attention for you to read the documentation page linked in those expiration emails, apparently. Because if you had, it's unlikely you'd have posted this topic--or at least, you'd have explained how the cert with the name of enfeedia.com-0001 differs from the previous cert named enfeedia.com.

The --dry-run always says the cert is due for renewal, and then proceeds to simulate trying to renew it.

k44g · July 17, 2023, 9:12pm

Sorry, I treated this as emergency because of concern that in five days from today, the certs will expire with nasty results.

I do appreciate your reply and I do read documentation. I found nothing, including the document you referred me to, that answers my question. I saw your comment at bottom of your post; very helpful. I guess I always thought dry run would indicate if the cert is due or not due for renewal.

TODAY, doing the renewal, not dry-run, this appeared:
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/enfeedia.com-0001/fullchain.pem expires on 2023-10-14 (skipped)
No renewals were attempted.

I now assume all is well, and unless there's something you want to point out, we're done here. Again, genuine thank you.

rg305 · July 17, 2023, 11:17pm

You can check the certs you have with:

k44g · July 18, 2023, 12:10pm

Ooops, forgot to post it here. Looks great, shows the one cert I expected and with the expected next renewal date.

Found the following certs:
  Certificate Name: enfeedia.com-0001
    Serial Number: *(deleted, not knowing if showing it here is safe)*
    Key Type: RSA
    Domains: enfeedia.com keligo.com llgorman.com packetstacks.com saddlebrookeranch.org sme62.org storiesofpetsbypetsforpets.com www.enfeedia.com www.keligo.com www.llgorman.com www.packetstacks.com www.saddlebrookeranch.org www.sme62.org www.storiesofpetsbypetsforpets.com
    Expiry Date: 2023-10-14 20:31:37+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/enfeedia.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/enfeedia.com-0001/privkey.pem

system · August 17, 2023, 12:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I received a message from letsencrypt on: aug 30 2022 with Your certificate (or certificates) for the names listed below will expire in 9 days (on 09 Sep 22 12:48 +0000). Please make sure to renew your certificate before then, or visitors to your web site Help	3	708	September 30, 2022
It ran out can't renew Help	4	642	January 1, 2021
Ny Mail Afebt says Certificate expired by cerbot says it is good Help	29	1726	July 29, 2020
Expiration date confusion Help	7	582	August 2, 2020
Certbot expired yet 'cert not yet due for renewal' Help	3	9685	October 9, 2017

Confusion re two similar certs, one expiring

Related topics