Expiration email, still applicable?

I read some other posts about expiration emails and LE with Cloudflare but wasn't able to find an answer, so hoping someone here can help!

Background is that I set up a website with a one-click DigitalOcean droplet that included a Let's Encrypt cert. I later decided to use Cloudflare in front of my site and am using their SSL. I recently got a certificate expiration email from Let's Encrypt bot, and I'm not sure how to tell if it's still relevant? When I check my domain name here crt.sh | bikesteady.com, I do see Let's Encrypt in the responses, which makes me think I may have something to renew. I also dropped my domain into letsdebug.net but couldn't make sense of the output there. Thanks in advance for any guidance.

My domain is: bikesteady.com

I ran this command: sudo certbot certificates

It produced this output: No certificates found.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: none but I am using Cloudflare in front

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0


Hi @kaganjd, and welcome to the LE community forum :slight_smile:

Two certs have been issued for your domain by LE:

But as you can see, from the highlight, they are NOT for the exact same set of names.
So, LE doesn't consider the second [top highlight] as a replacement to the first.
The notice is to make you aware that the first one [bottom of image] will be expiring soon.

If you are also using their cert on your server, then you can ignore this notice.

Did you at any point delete the certificate?
Anything like:
sudo certbot delete --cert-name bikesteady.com
[does that ring any bells?]


Adding on to rg305 comment ...

The Let's Encrypt wildcard cert issued on Jun21 was almost certainly obtained by Cloudflare on your behalf. The same as Cloudflare got certs from other Certificate Authorities (CA) when you chose to proxy your DNS there.

The Let's Encrypt cert issued May29 was one you obtained (guessing). It was not obtained by Cloudflare (see its CN=R3). This is the cert the email is warning you about.

With Cloudflare CDN (like you use) there should be two HTTPS connections. One is between the browser and Cloudflare. The other is from Cloudflare CDN to your Origin Server and should be HTTPS although it is technically possible to be HTTP. So, you should have a cert to allow use of HTTPS for this connection too. Perhaps you are using the Cloudflare Origin CA Cert for this purpose?

Anyway, check your Cloudflare Encryption Mode and make sure it is using HTTPS and then make sure you get a cert setup on your Origin server to support that.


Did you install certbot yourself or did the droplet include it?


Thanks everyone for your replies!! With yall's prompts I was able to retrace my steps and here's what I think happened:

  • 1-click install installed certbot, I was issued a cert in /etc/letsencrypt/bikesteady.com
  • I later followed Cloudflare instructions to put different certs in /etc/ssl/... and I updated my nginx config to point to the new Cloudflare certs without cleaning up (:see_no_evil:) the original Let's Encrypt stuff installed by 1-click installer.

So I think this answers my question- that the email I got was for a cert that's still on my server but not actually being used. Thanks so much!


Is that still there?

That's fine, but something isn't clear. Cloudflare doesn't interfere with renewals on your droplet. Also, that (nearly?) expired certificate should be on your machine, and certbot certificates should tell you so


There must be some additional step(s) - that removed the cert from your system.

Inquiring minds want to know!


Yes, there is still a cert in /etc/letsencrypt/bikesteady.com... I'm not sure why certbot isn't picking it up.

I'm not sure how maintained the 1-click installer is (this is for Ghost, the publishing platform)- maybe it used to install certbot but now manages certs a different way? I'm looking through the Ghost CLI code, which the 1-click installer uses, and it seems to use acme.sh, not sure if this is similar to certbot? Deep in the weeds now haha

Ah, yes, some places instruct people to use acme.sh with a similar format of folder as Certbot. You should try acme.sh --list to see if it knows any active cert profiles and then --remove it if you are sure you don't use it. It is best not to renew unneeded certs.

Certbot isn't showing anything because it looks at the /etc/letsencrypt/renewal/ folder for cert profiles. That folder is empty

There are many dozens of ACME clients. Hundreds maybe. Certbot and acme.sh are two popular ones


I just realized that path is NOT one certbot would have created.
It is missing the /live/ part.
So, I'm thinking @MikeMcQ is correct in thinking that somehow instructions were followed that put those cert files there - but did not use certbot to get them.


That's just sadistic.


With certain common Cloudflare settings enabled the proxy can interfere with Let's Encrypt challenges. In particular. I have found the Always use TLS setting to be disruptive.


If you have Cloudflare Origin CA certificates in place covering the hostnames that you are using and you are proxying your traffic through Cloudflare, you can safely ignore the expiration notice emails.


There are any other services that might have been set to also use that [expiring] LE cert.
[web certificates - they're not just for web servers anymore - LOL]
[cell phones - they're not just for making phone calls anymore - LOL]
[computers - they're not just for computing anymore - LOL]


I don't mean to imply that one should blanket ignore all Let's Encrypt notification emails. :grin: Obviously, read them to see what certificates are involved. If you recognize them as deprecated, act accordingly. :metal:


That should break everything, not just renewals.


The initial certificate tends to be issued prior to the site operator adding Cloudflare and enabling Always use TLS, which results in only renewals being affected. My understanding is that Let's Encrypt is supposed to follow redirects, but I have found it far more effective to exempt the .well-known/acme-challenge path from HTTPS redirects.


Oh, you mean the origin server doesn't get any request on port 80 and that interferes with renewals if the origin server doesn't expect http-01 on port 443.

Because the 80->443 redirect comes from cloudflare, and the origin server doesn't always know about it.


Not really. If one uses certbot and acme.sh, a consistent file structure lends itself to easy backups and cert verification. I use both and have constructed the file structure and symlinks EXACTLY the same. There is no reason one should complicate maintenance and other routines to varying file/folder structures. If you are using only acme.sh OK.... If you are using only certbot... OK. But if you are using both, it is much easier to maintain the system with a consistent file/folder structure. No doubt.
My 2 cents.


But, if one only uses acme.sh [and doesn't use certbot] ...
What then?
Did one somehow learn that "all certs must go in the /etc/letsencrypt/ folder" ? ? ?
[if so, that needs to be unlearned!]