Email for expiring certificate - no such certificate on system

I just received a 10 day expiry warning for a certificate I cannot find. The email states it is for a cert covering blubrick.com and www.blubrick.com, however my list of certificates contains no such cert.

I automatically renew any certs I use via the following line in root's crontab:

15 04 * * * /usr/bin/certbot renew --quiet

and it works for all my other certs that I can see.

There IS a cert covering blubrick.com and mail.blubrick.com, and another one for mail.blubrick.com alone, but neither of them are expiring soon, as you can see.

Does anyone out there have any clue as to what might be going on?

My domain is:
blubrick.com

I ran this command:
sudo certbot certificates

It produced this output:

Found the following certs:
Certificate Name: badboysofuke.com
Domains: badboysofuke.com www.badboysofuke.com
Expiry Date: 2019-11-01 06:41:59+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/badboysofuke.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/badboysofuke.com/privkey.pem
Certificate Name: blubrick.com
Domains: blubrick.com mail.blubrick.com
Expiry Date: 2019-11-04 17:17:12+00:00 (VALID: 71 days)
Certificate Path: /etc/letsencrypt/live/blubrick.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blubrick.com/privkey.pem
Certificate Name: blubrick.tk
Domains: blubrick.tk www.blubrick.tk
Expiry Date: 2019-11-01 06:42:12+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/blubrick.tk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blubrick.tk/privkey.pem
Certificate Name: chugs.live
Domains: chugs.live www.chugs.live
Expiry Date: 2019-11-02 04:29:16+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/chugs.live/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chugs.live/privkey.pem
Certificate Name: mail.blubrick.com
Domains: mail.blubrick.com
Expiry Date: 2019-11-08 17:08:07+00:00 (VALID: 75 days)
Certificate Path: /etc/letsencrypt/live/mail.blubrick.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.blubrick.com/privkey.pem
Certificate Name: mattlivingston.ml
Domains: mattlivingston.ml www.mattlivingston.ml
Expiry Date: 2019-11-01 06:42:23+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/mattlivingston.ml/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mattlivingston.ml/privkey.pem

My web server is (include version):
apache2 (v2.4.29)

The operating system my web server runs on is (include version):
Ubuntu 18.04.3

My hosting provider, if applicable, is:
(self, via Linode)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

The www certificate certainly exists:

Presumably you deleted it, or maybe it was created on a different computer.

Oh, I’ve no doubt that the www cert exists. I’m equally certain that I do not have it on my server.

When I was last setting this stuff up, I created revoked and deleted numerous certs before I got it right (or rather, thought that I did!). It’s entirely possible that I skipped the revocation step at one point.

Somehow I seem to have wound up with two certs in my possession covering the same subdomain, and one cert not in my possession, covering a domain already covered by one of the first two. It kinda works, mostly, but it’s messy and I’d like to tidy it up.

Now, without being in possession of the existing “missing” certificate, I cannot revoke it, is that right?

Should I simply wait for it to expire, then revoke my existing cert for (mail.)blubrick.com and re-request a new cert for (www.)blubrick.com? I’d prefer, if possible, to retain the existing cert which covers only mail.blubrick.com and keep it separate from the webserver cert.

If the certificate that's expiring isn't being used and isn't a configuration that you want to replicate, you don't have to take any action.

That's part of what's alluded to in the expiration notice:

The expiration of an unused certificate won't cause any other impacts for your services; the expiry e-mail is just meant as a courtesy to ensure that it doesn't take you by surprise.

Thank you. There are some configs that need to change, but this has clarified what I need to do now.

Valid cert for just (mail.)domain:
continue unchanged

Cert for (mail.)domain:
revoke & re-request for (www.)domain

Expiring “missing” cert:
ignore

Hi @blubrick

that's always wrong if the private key isn't stolen.

Never revoke a certificate if the private key is safe. Ignore the certificate. Expired -> you can delete it.

You can create more then one active certificate.

Somewhere I want to write a definitive document (maybe for letsencrypt.org) about this. A certificate says that a key is OK to use with certain names, but doesn't say that it's the only key that's OK to use with those names, or that those are the only names that are OK to use with that key. Therefore, new certificates never contradict old certificates and there are no restrictions at all on the simultaneous validity (or issuance¹) of related or overlapping certificates.

¹ Let's Encrypt has new-issuance rate limits, where you can't issue many new identical (or large numbers of related) certificates in the same week. But it doesn't matter at all whether other related certificates are valid, revoked, or expired.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.