Expired or not?

elbarbudo · July 24, 2019, 6:55am

Hello
I just received a mail telling that the certificate for patricearnal.ddns.net will expire on 12 Aug 19 21:42 +0000
But I modified this certificate about 10 days ago, in order to add arnal.site on it.
This new certificate is still valid for 79 days so I wonder why I received this mail…

My domain is:

I ran this command:
certbot certificates

It produced this output:

Found the following certs:
Certificate Name: patricearnal.ddns.net
Domains: arnal.site patricearnal.ddns.net
Expiry Date: 2019-10-11 07:26:40+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/patricearnal.ddns.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/patricearnal.ddns.net/privkey.pem

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Linux arnal.site 4.19.57-v7+ #1244 SMP Thu Jul 4 18:45:25 BST 2019 armv7l GNU/Linux

My hosting provider, if applicable, is:
Self hosted on a raspberry PI 3

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

JuergenAuer · July 24, 2019, 6:59am

Hi @elbarbudo

please read

When You Get an Expiration Email

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Checking your domain you see ( https://check-your-website.server-daten.de/?q=patricearnal.ddns.net#ct-logs )

You have two certificates with different sets of domain names:

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2019-07-13	2019-10-11	arnal.site, patricearnal.ddns.net - 2 entries
Let's Encrypt Authority X3	2019-05-14	2019-08-12	patricearnal.ddns.net - 1 entries

You use the newest:

CN=arnal.site
	13.07.2019
	11.10.2019
expires in 79 days	
arnal.site, patricearnal.ddns.net - 2 entries

The older certificate isn't renewed -> that's the mail.

elbarbudo · July 24, 2019, 7:19am

Thank you : I missed the fact I got 2 certificates.

All the procedure to add “arnal.site” to an existing certificate makes me believe that I UPDATED an existing certificate, not that I got a new one.

Hence my question.

JuergenAuer · July 24, 2019, 7:34am

There is no "certificate update". Every certificate is new and read-only. The only thing: Clients save the parameters and reuse these informations. That's "renew".

schoen · July 24, 2019, 3:59pm

Client software may also track a relationship between certificates (for example, giving the certificate a local name). But the Let's Encrypt CA doesn't know anything about this relationship, which is a source of frequent confusion about these reminder e-mails. You could be updating a certificate in your local certificate management software, but the certificate authority doesn't know that.

system · August 23, 2019, 3:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.