Email says certificate expires, renew says it is not expiring

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: shafer.ca

I ran this command:sudo openssl x509 -in /etc/letsencrypt/live/shafer.ca/cert.pem -text -noout

It produced this output:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:33:c3:f1:47:3e:2a:93:39:ee:2a:4e:05:bd:0a:0d:76:ec
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Mar 22 00:45:28 2019 GMT
Not After : Jun 20 00:45:28 2019 GMT
Subject: CN=shafer.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e1:68:55:c6:06:aa:ab:46:05:78:b4:17:8a:2c:
0e:14:17:a8:25:0f:b9:62:eb:51:86:ad:7c:29:28:
a8:69:1a:ad:2b:ad:c3:2e:9e:f6:4f:72:98:9d:8b:
d9:6f:97:cc:e4:5a:ad:e6:70:78:07:3b:74:ca:6e:
c4:61:db:4a:f3:5c:87:6d:7c:de:ed:46:ca:a7:fe:
46:7d:66:73:ea:45:65:05:de:89:65:9a:a2:09:9c:
cf:47:5a:4c:00:20:9d:43:0a:a9:2d:e8:c7:e3:eb:
5b:12:83:95:4d:41:1b:4f:a5:c4:dd:94:94:f6:b7:
d3:f3:e2:24:2c:4f:b8:41:c3:25:21:d5:09:6e:66:
bf:03:b5:c8:4b:74:23:a1:c4:05:4e:9e:9c:54:ed:
18:f8:ae:15:95:c6:d5:a8:53:e2:15:fc:bc:fe:57:
3d:b0:64:f5:e1:a0:a7:cb:c2:f9:80:c8:ca:3d:dd:
75:68:f2:14:06:e2:4d:42:64:1a:3e:c6:b1:b7:4b:
4c:34:bb:95:03:a3:bd:3a:a8:d4:f2:73:51:61:48:
a8:ff:44:2a:ac:63:23:db:96:0b:8a:1d:2c:03:4f:
da:37:1d:fc:b1:de:f0:f5:0d:b2:77:e5:81:dc:12:
44:4f:bf:da:a9:b6:7c:df:04:60:7f:87:67:17:ee:
48:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
28:F2:81:41:DC:1D:7C:6B:27:2D:CB:73:2B:F2:0B:41:B0:D0:94:B8
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access: 
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name: 
            DNS:shafer.ca, DNS:www.shafer.ca
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                            3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                Timestamp : Mar 22 01:45:28.456 2019 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:A3:79:6C:79:60:B9:D8:38:79:52:13:
                            05:85:9F:11:60:6C:C4:CB:A6:FC:0E:7F:1A:B3:66:72:
                            3C:37:DA:64:78:02:20:2A:8A:BB:14:50:0B:92:3E:C0:
                            59:AA:CE:77:71:14:5E:C7:1D:A7:50:72:9F:66:10:91:
                            D9:27:52:ED:F3:F0:9C
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                            A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                Timestamp : Mar 22 01:45:28.527 2019 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:DB:ED:D8:EC:F4:54:D7:01:7F:C3:FD:
                            AB:A6:BE:4A:33:21:2F:08:50:48:21:9D:EE:3E:6F:68:
                            EB:C8:C6:13:35:02:20:71:44:59:D6:27:ED:75:8A:73:
                            64:5B:95:9C:F0:68:0C:37:DD:0D:97:D2:F7:26:05:43:
                            B7:C6:7B:84:02:46:CF
Signature Algorithm: sha256WithRSAEncryption
     2a:d1:f0:82:d8:70:ac:35:fe:1d:a6:25:4d:da:80:27:80:1f:
     05:f2:97:1d:18:42:73:32:8d:8a:85:cd:6f:e9:04:66:2f:e2:
     0c:fa:df:a6:1b:8e:31:27:b2:88:3c:f3:e2:7c:3f:da:73:d9:
     77:2a:b3:2f:76:a0:c6:50:c9:3f:99:2e:3a:3f:a2:0e:d3:de:
     36:79:37:ec:9f:47:92:79:8c:6f:61:ad:4e:56:ca:c8:bf:fe:
     7a:85:5d:fb:47:4a:75:20:1c:39:64:f1:a6:06:bd:b2:7d:5e:
     79:81:02:94:1a:6f:54:2e:d5:b4:55:c0:bf:ad:f7:21:08:eb:
     c8:5a:bd:54:9f:fb:b0:cd:99:84:29:27:38:9b:c5:2b:95:61:
     32:a4:91:19:c4:d4:9b:39:59:51:b6:8a:22:ef:36:d1:f0:d2:
     89:bd:3e:57:fe:cc:bd:9c:91:d2:c2:18:9c:f3:f7:15:2f:f3:
     50:3c:c4:fa:77:f6:03:99:47:62:23:91:a2:27:5e:1e:30:a0:
     d3:fa:10:12:3b:93:06:7d:ed:0e:f0:ae:95:b1:fa:34:97:f1:
     1f:40:54:d1:8b:4a:9a:f2:3d:6d:3b:c1:61:ea:d3:f2:5f:26:
     d0:9a:3c:52:a3:95:36:49:27:e5:19:36:f7:e4:34:a5:f1:cc:
     4b:7d:2d:31

My web server is (include version):

Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-04-03T13:34:47

The operating system my web server runs on is (include version):

Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1079-aws x86_64)

My hosting provider, if applicable, is:

Amazon AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

I get an email thats says this certificate is expiring.

Your certificate (or certificates) for the names listed below will expire in 10 days (on 17 Apr 19 05:30 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

When I do a

sudo certbot renew --dry-run

It says none of my certificates are up for renewal.

I have recently restarted my server.

I understand that they will be auto renewed by crontab. Do I need to install something in crontab or is it auto installed when i installed certbot?

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

What certificate was it? If it’s this one for shafer.ca, you can ignore the email, because you’ve replaced the certificate with the newer one with a superset of the names.

Depends on how you installed Certbot. If you used the PPA packages, yes, there’s a systemd timer automatically set up.

You can see it with systemctl list-timers.

1 Like

Hi @gshafer

you have created different certificates ( https://check-your-website.server-daten.de/?q=shafer.ca ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1330832660 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-21 23:46:30 2019-06-19 22:46:30 www.shafer.ca
1312151162 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-21 23:45:28 2019-06-19 22:45:28 shafer.ca, www.shafer.ca
1128853166 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-01-20 20:15:27 2019-04-20 19:15:27 shafer.ca, www.shafer.ca
1128760975 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-01-20 19:28:51 2019-04-20 18:28:51 www.shafer.ca
1118520847 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-01-17 04:30:32 2019-04-17 03:30:32 shafer.ca

But you use the certificate with two domain names:

CN=shafer.ca
	22.03.2019
	20.06.2019
expires in 74 days	shafer.ca, www.shafer.ca - 2 entries

Letsencrypt doesn’t know which certificate you use.

So you can ignore the mail.

PS: You should delete the certificates you don’t use.

certbot certificates

to see the certificates, then

certbot delete [certificate-name]

Thanks for your help.

I deleted the extra certificates, so that each domain name only shows up on one certificate.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.