Crt.sh shows multiple certs with different expiry dates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: orgibisph.net
I have two websites on same server and same IP: trac.orgibisph.net and svn.orgibisph.net

I ran this command, from web browser:
crt.sh | trac.orgibisph.net
crt.sh | svn.orgibisph.net

It produced this output:
Multiple lines of what appear to be same URLs but with different expiry dates

My web server is (include version):
Server version: Apache/2.4.58 (Ubuntu)
Server built: 2024-07-17T18:55:23

The operating system my web server runs on is (include version):
Ubuntu linux 24.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I am getting expiry notices from Let's Encrypt.
If I examine the certs in the browser the expiration date is farther in the future for both svn.orgibisph.net and trac.orgibisph.net

In a browser crt.sh show multiple entries, I think it would be best for folks to run the commands

And it is showing multiple certs with different expiration dates.

I can't seem to find what else is different about them, and I also am not sure how what I am seeing happened. I think for now, I would like to remove the older certs, if that is a reasonable thing to do, but am not sure how.

Crontab shows a commented out renewal.

The following entries for snap.certbot.renew.timer and server are:
root@ip-10-0-0-102:/etc/systemd/system# cat snap.certbot.renew.timer
[Unit]

Auto-generated, DO NOT EDIT

Description=Timer renew for snap application certbot.renew
Requires=snap-certbot-3834.mount
After=snap-certbot-3834.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=--* 10:36
OnCalendar=--* 12:39

[Install]
WantedBy=timers.target
root@ip-10-0-0-102:/etc/systemd/system#

root@ip-10-0-0-102:/etc/systemd/system# cat snap.certbot.renew.service
[Unit]

Auto-generated, DO NOT EDIT

Description=Service for snap application certbot.renew
Requires=snap-certbot-3834.mount
Wants=network.target
After=snap-certbot-3834.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/3834
TimeoutStopSec=30
Type=oneshot
root@ip-10-0-0-102:/etc/systemd/system#

I'm not sure what you want to remove? Remove the certs from the certificate transparancy logs? Because that's not possible. CT logs are append-only for good reason. Once a cert is in there, it's in there "forever".

1 Like

Often a Let's Encrypt cert will show as two lines in crt.sh. It shows the Precert and the Leaf. You can use crt.sh advanced settings to "Deduplicate" so you only see one of them.

Other systems may or may not show them. Sometimes this is a nicer cert log display
https://tools.letsdebug.net/cert-search

1 Like

Even then those hostnames have 2 to 3 duplicate certs :roll_eyes:

I was thinking that I had duplicates certs set up in my configuration somehow. Thanks for explanation of crt.sh.
I guess I'm still a little confused as to why I am getting cert expiry notifications. Maybe that's what took me down the path of crt.sh, and not really understanding what I was seeing

Thanks, I will try that site as well.

1 Like

??

I see this with Deduplicate

The two for Aug25 don't share SANs and neither do Jun26

They overlap so the certs with just trac in them seem unnecessary but not duplicated

3 Likes

That can still be the case; you can't say that by looking at crt.sh.

crt.sh does not show the full list of domains in a cert (the names in the SAN list Subject Alternative Names).

The other cert-search I linked does. I think you'll see what is happening easier with that

With crt.sh you have to inspect each SAN list by clicking each cert

4 Likes

Oh, sorry, I mistakenly saw an "8" for the "6"es of June.

1 Like

Osiris/MikeMcQ - I guess my main concerns are:
Should I worry about this?
Are there other ways to determine if this is an issue?
Is Let's Encrypt cert expiry notification something I can ignore? The latest message I received is:
Subject: Let's Encrypt certificate expiration notice for domain "svn.orgibisph.net"
Your certificate (or certificates) for the names listed below will expire in 6 days (on 2024-09-14). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

This? The expiry notification? Or something else?

Please see the explanation provided on the documentation page linked in the email you've received.

1 Like

I meant the expiry notification. It sounds like the duplicate certs shown in the web browser URLs are okay.

Re: expiry notification Thanks - I guess I did not read enough of message, sorry. I think I got too worried. I did finally read:
svn.orgibisph.net

For details about when we send these emails, please visit: Expiration Emails - Let's Encrypt In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

Thanks everyone for replying

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.