Email regarding a certificate about to expire

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: weewx.sylvain-maison.duckdns.org

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Rasbian 5.10.63-v7l+

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I got an email from expiry@letsencrypt.org saying that my certificate will expire in 11 days and yet, I have the following line in /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Shouldn't that take of the renewing? Am I missing something for the certificate to auto renew?

Thanks.

Which cert did the email warn you about? Was it the one with grafana...?

See here

If you are not using that anymore you can ignore the friendly reminder email.

If you could describe what about the email was confusing it might help the Let's Encrypt people write clearer language.

Thanks for the quick reply. Got this one Thursday for

teslamate.sylvain-maison.duckdns.org

Then these two were added to it yesterday
grafana.sylvain-maison.duckdns.org
weewx.sylvain-maison.duckdns.org
teslamate.sylvain-maison.duckdns.org

This is the email I got, why haven't they renewed before that email was sent?

Hello,

Your certificate (or certificates) for the names listed below will expire in 11 days (on 02 Feb 22 03:42 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

See https://crt.sh/?Identity=sylvain-maison.duckdns.org&deduplicate=Y for an overview of the certificates for your DuckDNS domain.

Also check the command sudo certbot certificates to see which certificates are currently known in Certbot. You can cross-reference those certificates and their hostnames with the list of hostnames you previously issued certificates for from the link above.

Damn, I did have trouble at first. Didn't realized it created that many certificates lol

This is what I have as of now

Found the following certs:
  Certificate Name: camera.sylvain-maison.duckdns.org
    Domains: camera.sylvain-maison.duckdns.org
    Expiry Date: 2022-04-04 10:13:08+00:00 (VALID: 66 days)
    Certificate Path: /etc/letsencrypt/live/camera.sylvain-maison.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/camera.sylvain-maison.duckdns.org/privkey.pem
  Certificate Name: grafana.sylvain-maison.duckdns.org
    Domains: grafana.sylvain-maison.duckdns.org
    Expiry Date: 2022-04-03 08:37:57+00:00 (VALID: 65 days)
    Certificate Path: /etc/letsencrypt/live/grafana.sylvain-maison.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/grafana.sylvain-maison.duckdns.org/privkey.pem
  Certificate Name: ha.sylvain-maison.duckdns.org
    Domains: ha.sylvain-maison.duckdns.org
    Expiry Date: 2022-04-11 02:59:39+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/ha.sylvain-maison.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ha.sylvain-maison.duckdns.org/privkey.pem
  Certificate Name: teslamate.sylvain-maison.duckdns.org
    Domains: teslamate.sylvain-maison.duckdns.org grafana.sylvain-maison.duckdns.org
    Expiry Date: 2022-04-03 08:38:10+00:00 (VALID: 65 days)
    Certificate Path: /etc/letsencrypt/live/teslamate.sylvain-maison.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/teslamate.sylvain-maison.duckdns.org/privkey.pem
  Certificate Name: weewx.sylvain-maison.duckdns.org
    Domains: weewx.sylvain-maison.duckdns.org
    Expiry Date: 2022-04-04 10:13:22+00:00 (VALID: 66 days)
    Certificate Path: /etc/letsencrypt/live/weewx.sylvain-maison.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/weewx.sylvain-maison.duckdns.org/privkey.pem

So I can ignore those old certificates I'm not using, right?

Welcome to the Let's Encrypt Community

Yep. If the unneeded certificates' private keys haven't been compromised, just delete the unneeded certificates and their private keys.

Use this to find an unneeded certificate's Certificate_Name:

sudo certbot certificates

Use this command to safely delete an unneeded certificate and its private key:

sudo certbot delete --cert-name Certificate_Name

That will prevent the unnecessary renewal of any unneeded certificates.

I don't think the 'unneeded' are anywhere to be found. The only one I have are the one I posted above and they are the same ones I have in my /etc/letsencrypt/live directory
.

I think that refers to existing certs that are no longer in use (anywhere).

Ignoring them isn't really the best choice.
If any of the five certs shown are no longer in use, then you can delete them using the command provided by @griffin

Those displayed by certbot certificates are used. It's those that showed up when I ran

that I'm talking about. Lots more than what ' certbot certificates' are showing.

You can definitely ignore anything that isn't listed by certbot certificates.
[they no longer exist in your system]

Great, thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.