Expired or not?

I just received a mail telling that the certificate for patricearnal.ddns.net will expire on 12 Aug 19 21:42 +0000
But I modified this certificate about 10 days ago, in order to add arnal.site on it.
This new certificate is still valid for 79 days so I wonder why I received this mail…

My domain is:

I ran this command:
certbot certificates

It produced this output:

Found the following certs:
Certificate Name: patricearnal.ddns.net
Domains: arnal.site patricearnal.ddns.net
Expiry Date: 2019-10-11 07:26:40+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/patricearnal.ddns.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/patricearnal.ddns.net/privkey.pem

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Linux arnal.site 4.19.57-v7+ #1244 SMP Thu Jul 4 18:45:25 BST 2019 armv7l GNU/Linux

My hosting provider, if applicable, is:
Self hosted on a raspberry PI 3

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi @elbarbudo

please read

When You Get an Expiration Email

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Checking your domain you see ( https://check-your-website.server-daten.de/?q=patricearnal.ddns.net#ct-logs )

You have two certificates with different sets of domain names:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-07-13 2019-10-11 arnal.site, patricearnal.ddns.net - 2 entries
Let's Encrypt Authority X3 2019-05-14 2019-08-12 patricearnal.ddns.net - 1 entries

You use the newest:

expires in 79 days	
arnal.site, patricearnal.ddns.net - 2 entries

The older certificate isn't renewed -> that's the mail.

1 Like

Thank you : I missed the fact I got 2 certificates.

All the procedure to add “arnal.site” to an existing certificate makes me believe that I UPDATED an existing certificate, not that I got a new one.

Hence my question.


There is no “certificate update”. Every certificate is new and read-only. The only thing: Clients save the parameters and reuse these informations. That’s “renew”.


Client software may also track a relationship between certificates (for example, giving the certificate a local name). But the Let’s Encrypt CA doesn’t know anything about this relationship, which is a source of frequent confusion about these reminder e-mails. You could be updating a certificate in your local certificate management software, but the certificate authority doesn’t know that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.