Email says cert about to expire, certbot says it's good

Expiry bot says my cert is expiring in 10 days, but certbot says I’m good to go. I had initially (couple years ago?) set up certbot just for the domain sunsetsets.com but earlier this year I did a multi-site certificate for sunsetsets.com, janktownbeats.com and others running on my server. I thought that I set it up to auto-renew.

My domain is: sunsetsets.com (I am also doing a multiple domain certificate)

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/sunsetsets.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/sunsetsets.com/fullchain.pem expires on 2020-09-24 (skipped)
No renewals were attempted.


My web server is (include version): apache2/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

1 Like

Hi,

If certbot said it’s good, and all your websites have the same expiry date as certbot’s display, then you are good to go. Let’s Encrypt might send emails to the old certificate because expanding or issuing a new certificate (that doesn’t have the exact set of hostnames) might not consider as a renewal.

I think you are currently using https://crt.sh/?id=3006278013 (Multi-SAN), but Let’s Encrypt might notifying you about https://crt.sh/?id=2885258131.

You can get more information about Expiration email on https://letsencrypt.org/docs/expiration-emails/

1 Like

Thanks Steven,

I believe that you are correct.

Is there a recommended way to remove “orphaned” certificates? I will likely add further domain names and generate certs to include these new domains, and I would prefer to not have a bunch of warnings on certs that aren’t being used anymore.

Thanks!

1 Like

Unfortunately, there’s no such way. However, a peace of mind: I believe that renewal email will only send once for a exact set of hostnames.

1 Like

Thanks again Steven,

I guess each time this happens, I’ll need to remember that the old certificates will essentially go away after they expire… and remember that all of my current domains are covered under the current certificate.

Hmm… seems like a good reason to issue individual certs for each domain actually…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.