Email notification - dates don't match certificate?

I received an email from the expiry bot saying my certificate expires on 2nd April, but checking the certificate on the live site in the web browser shows an expiry of 24th May. When I run a renewal script I get “Cert not yet due for renewal”

Any ideas ?

Thanks in advance
Rick

Details below

My domain is: hsaphoto.org

I ran this command: certbot renew

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hsaphoto.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
/etc/letsencrypt/live/hsaphoto.org/fullchain.pem expires on 2020-05-24 (skipped)
No renewals were attempted.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04 (fully patched)

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Email received

Your certificate (or certificates) for the names listed below will expire in 10 days (on 02 Apr 20 02:57 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors. We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details. hsaphoto.org phpmyadmin.hsaphoto.org www.hsaphoto.org

When you added docs.hsaphoto.org to your certificate around a month ago, that caused your old and new certificate to be counted separately, when it comes to the expiry reminder emails.

In this case, you can ignore expiry reminder email, because it is referring to a certificate that is no longer in use.

This is elaborated upon on https://letsencrypt.org/docs/expiration-emails/#when-you-get-an-expiration-email :

We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

2 Likes

Hi

A very succint and helpful answer, thanks for the quick response

Regards

Rick

1 Like