Expiration notice mail how to handle

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
pjdw20.duckdns.org
I ran this command:
I have connected to swag container and run
certbot renew
It produced this output:
Cert not yet due for renewal
My web server is (include version):
swag?
The operating system my web server runs on is (include version):
linux
My hosting provider, if applicable, is:
NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

1 Like

Hi @pjdw

Expiration notice mail how to handle

please read the link about expiration mails shared in the mail. There is your complete answer.

1 Like

Thanks Juergen,
I have read it, but it is not clear to me what to do in my situation

  • received expiration mail, but certificate is not yet in expiration range (< 30 days)

Then you've also read this part of the expiration mail documentation:

If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Recently, you've renewed a wildcard certificate:

https://crt.sh/?id=4252629250

However, on January 19th and January 20th you've managed to issue four (? why so many?) certificates for just the apex domain name:

https://crt.sh/?q=pjdw20.duckdns.org&deduplicate=y

Now I leave you with an assignment: can you combine the two things I've said about your certificates with the part of the expiration mail documentation I've quoted at the top?

Note that a certificate for just the wildcard is only valid for subdomains in place of the * and that the apex domain name should be included separately for that specific hostname to be valid too.

1 Like

Thanks for cleanly pointing out my misbehavior and I herewith apologize. The old certificate is replaced by the newer one so no action is required
I understand that I just need 2 certificates and have to combine things.

You could indeed modify your wildcard certificate to also include the apex domain so you only require one cert.

Note that if you make the above change, you'd get another e-mail about the cert with just the wildcard hostname expiring when that's about to happen.