Expiration notices arrives months too early

garo · October 7, 2021, 7:55am

My domain is: "cmt.uantwerpen.be" and "dyproso2009.uantwerpen.be and some others".
"dyproso and some others" all share the same cert, cmt.uantwerpen.be uses a different cert.
(Note that cmt.uantwerpen.be immediately redirects to a site out of my control so it's probably easier to examine dyproso2009)

I ran this command: nginx certbot certificates but first i just checked the expiration date of the certs with a webbrowser

It produced this output: According to my browser the cert of dyprose2009 will expire on 30 dec 2021 (today it's 7 oct).
The certbot output was:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: cmt.uantwerpen.be-0001
    Serial Number: 33461f329b63d19af39a8c11406d7eaa1f9
    Key Type: RSA
    Domains: cmt.uantwerpen.be
    Expiry Date: 2021-12-28 14:59:03+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/cmt.uantwerpen.be-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cmt.uantwerpen.be-0001/privkey.pem
  Certificate Name: cmt.uantwerpen.be
    Serial Number: 4dfb65dc467f5801e1d790617bd29697aca
    Key Type: RSA
    Domains: cmt.uantwerpen.be dyproso2009.ua.ac.be dyproso2009.uantwerpen.be eden-leeft.be gl.tfm.ua.ac.be gl.tfm.uantwerpen.be latex.tfm.uantwerpen.be nc.tfm.uantwerpen.be scicraft.uantwerpen.be seamouse.ua.ac.be seamouse.uantwerpen.be www.cmt.ua.ac.be www.cmt.uantwerpen.be www.eden-leeft.be www.youngminds.uantwerpen.be youngminds.uantwerpen.be
    Expiry Date: 2021-12-30 13:22:07+00:00 (VALID: 84 days)
    Certificate Path: /etc/letsencrypt/live/cmt.uantwerpen.be/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cmt.uantwerpen.be/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Nginx 1.19.8 which act as a reverse proxy, multiple versions of apache are behind it. (All servers, including nginx, run in separate docker containers). Everything works flawless

The operating system my web server runs on is (include version): Debian Buster

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes, both for host and all containers

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

So far with all requested info... (Although I assume most is irrelevant)
What is probably a lot more useful is that the nginx container is based on the image at GitHub - staticfloat/docker-nginx-certbot: Create and renew website certificates using the Letsencrypt free certificate authority.
This image might no longer be actively maintained but that message was only added a couple of months ago so for the moment I am going to keep using it.

Now finally onto the problem, which is actually more "strange behaviour" then a problem:

Today i received a mail mentioning:
"Your certificate (or certificates) for the names listed below will expire in 10 days (on 17 Oct 21 06:41 +0000)". (the names were the ones from the cert)
I checked the headers of the mail to check if it was spam (it wasn't).
I also received similar mails in the past.

Why are these dates wrong ?

rg305 · October 7, 2021, 8:03am

Hi @garo welcome to the LE community forum

The email should make it clear that if you have renewed a cert by adding or removing names, that isn't seen as a renewal. But as a different new cert.

You should be able to review all certs issued to the mentioned name via online CT logs.
See: https://crt.sh/

Judging only by the sixteen names found on that second cert, I would say that you have made several other very similar certs with less or more names on it - each of which is seen as a separate cert and when it hasn't been renewed and is nearing expiry you may get an similar email to inform you that you should be aware of that and take action if needed.

Exactly? All the exact same set of names?

griffin · October 7, 2021, 8:20am

Welcome to the Let's Encrypt Community, Nikolas

This might help:

garo · October 7, 2021, 8:38am

I indeed made different certs in the past while playing around with certbot. I removed them on my webserver (so they will never be renewed).

Can I assume that once these no-longer existing certs expire all new mails will only contain correct dates ?

rg305 · October 7, 2021, 8:41am

The emails should always contain correct dates; As did the email you just received.
If you don't add or remove names from the certs, when they renew they extend that cert life and won't trigger an email notice of expiry.

griffin · October 7, 2021, 8:43am

Once a certificate expires and is not renewed, you won't hear about it again.

system · November 6, 2021, 8:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I received a message from letsencrypt on: aug 30 2022 with Your certificate (or certificates) for the names listed below will expire in 9 days (on 09 Sep 22 12:48 +0000). Please make sure to renew your certificate before then, or visitors to your web site Help	3	701	September 30, 2022
Expiry notice when domains certs aren't expiring Help	6	1702	September 11, 2016
[Solved] Expiry date still showing less than 30 days post successful certificate renewal Help	6	2552	November 3, 2017
Certification expiration notice for what I thought was an overwritten certificate Help	8	1745	August 28, 2021
Discrepancy around certificate expiration date Help	9	855	November 13, 2020

Expiration notices arrives months too early

Related topics