Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
kreatort.ch
I ran this command:
certbot renew
It produced this output:
Cert not yet due for renewal; despite the mail you sent to me (mz@ubik.ch):
"Your certificate (or certificates) for the names listed below will expire in 6 days (on 2024-10-10). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
kreatort.ch"
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
There's nothing erroneus about the email you've received.
Please read the email again, this time carefully and complete and afterwards appreciate the certificate history for your domain at crt.sh | kreatort.ch. And especially notice the "2024-10-10" from the email in the "Not After" column on crt.sh.
Please review your certificate history (see link above) and notice the identities in the column "Matching Identities" and see the difference before/until and after the cert marked with the Not After date of 2024-10-10.
Sorry; the confusion is on my side. It seems I hav a cgi certificate. How to renew it. I tried 'certbot renew' ont the kreatro.ch and was informed:
Processing /etc/letsencrypt/renewal/kreatort.ch.conf
The OLD certificate did NOT include the cgi subdomain and the NEW certs do.
Let's Encrypt emails you about the OLD certificate, as it differs from the NEW certificate(s).
Can you please tell me how the part
In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
Is confusing?
If there is something specifically confusing, maybe Let's Encrypt needs to update their expiry email texts.
And you can see that below the red line there is no cgi.
That cert was being renewed without issue until you stopped using it.
And switched to a new cert (with cgi) [above the red line].
The cgi cert should renew 30 days prior to 2024-12-19.
Thanks for very clear explanation and sorry for having disturbed.
So I suppose for now I have nothing to do.
Just one question: why did I receive the mail 'Let's Encrypt certificate expiration notice for domain "kreatort.ch" (and 1 more)'
Here the content of the mail:
Hello, Your certificate (or certificates) for the names listed below will expire in 6 days (on 2024-10-10). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors. We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details. kreatort.ch www.kreatort.ch For details about when we send these emails, please visit: Expiration Emails - Let's Encrypt In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message. For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email. To learn more about the latest technical and organizational updates from Let's Encrypt, sign up for our newsletter: Newsletter Signup - Let's Encrypt If you are receiving this email in error, unsubscribe at: [redacted] Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates. Regards,
As I've already quoted above, I'll quote again from your own post:
As I asked before: what isn't clear about that? How can we improve the email?
Note that, unfortunately, the email does not actually list all of the hostnames in the certificate, so you need to rely on websites like crt.sh if you can't remember the previous set of hostnames or if you have lost track of the history of the hostnames yourself.
It looks like you posted the entire email - with the unsubscribe link.
And that link was either crawled or clicked by you (or someone else) and now you have been unsubscribed from any such future emails.
I receive a notfication email from you. I undertake the suggested actions running certbot renew on my two servers and I am informed on both: No renewals were attempted.
So it is not the content you quoted that surprises me but the fact that I do not have anything to renew.
The explanation in the email warns you that Let's Encrypt cannot distinguish between old certificates and alreadn renew certificates if there is a difference between the 2 certs with regard to the hostnames they contain.
You've added a hostname with the cgi subdomain.
These new certificates renew just fine.
Let's Encrypt does NOT send you an expiry warning for these new cgi containing certificates.
However, it DOES send you an expiry email for the OLD certificate not containing the cgi subdomain. Because of what's mentioned in the email itself.
