Expiry notice by email, but I think this domain is ok


#1

I received an expiry notice by email, but when I run certbot renew --dryrun, all looks fine. Summary affecting this domain is here, and full output is below.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.contracts.loutilities.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for contracts.loutilities.com
http-01 challenge for www.contracts.loutilities.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.contracts.loutilities.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My domain is: www.contracts.loutilities.com

I ran this command: certbot renew --dryrun

It produced this output:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/scoretility.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for scoretility.com
http-01 challenge for www.scoretility.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/scoretility.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sandbox.steeplechasers.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sandbox.steeplechasers.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/sandbox.steeplechasers.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sandbox.contracts.loutilities.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sandbox.contracts.loutilities.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/sandbox.contracts.loutilities.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.steeplechasers.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for test.steeplechasers.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test.steeplechasers.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/beta.scoretility.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beta.scoretility.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/beta.scoretility.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/steeplechasers.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for steeplechasers.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/steeplechasers.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.loutilities.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for loutilities.com
http-01 challenge for www.loutilities.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.loutilities.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.contracts.loutilities.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for contracts.loutilities.com
http-01 challenge for www.contracts.loutilities.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.contracts.loutilities.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sandbox.scoretility.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sandbox.scoretility.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/sandbox.scoretility.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/scoretility.com/fullchain.pem (success)
  /etc/letsencrypt/live/sandbox.steeplechasers.org/fullchain.pem (success)
  /etc/letsencrypt/live/sandbox.contracts.loutilities.com/fullchain.pem (success)
  /etc/letsencrypt/live/test.steeplechasers.org/fullchain.pem (success)
  /etc/letsencrypt/live/beta.scoretility.com/fullchain.pem (success)
  /etc/letsencrypt/live/steeplechasers.org/fullchain.pem (success)
  /etc/letsencrypt/live/www.loutilities.com/fullchain.pem (success)
  /etc/letsencrypt/live/www.contracts.loutilities.com/fullchain.pem (success)
  /etc/letsencrypt/live/sandbox.scoretility.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:09

The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.29.1


#2

Hi @louking

which domain was in that mail?

If this domain has a valid certificate, then you may have created a certificate with a different set of domain names. But then you don’t need the old certificate. So you can ignore the mail.


#3

The domain in the email was www.contracts.loutilities.com

Will I keep getting the email for this domain?

Not sure what you mean “you may have created a certificate with a different set of domain names”


#4

--dry-run just tests that renewal can work. Does “sudo certbot certificates” show that it really has been renewed?

A different, overlapping set of domain names. Like if you replace a certificate for example.org with one for both example.org and www.example.org.


#5

Looks like you can ignore the mail.

The domain has one good certificate

CN=www.contracts.loutilities.com
	07.03.2019
	05.06.2019
expires in 81 days	contracts.loutilities.com, 
www.contracts.loutilities.com - 2 entries

That’s good because it has both domain names.

https://crt.sh/?q=contracts.loutilities.com

lists 2 certificates - 2019-01-06 and 2019-03-07.

But

https://crt.sh/?q=www.contracts.loutilities.com

shows two additional certificates, only with the www domain name.

So you don’t need these certificates, because you have one certificate with both domain names.

So you can ignore the mail.


#6

Thanks. Answering @mnordhoff I see the 80 days left (see below for the answer I’d just started typing).

Is there any way to prevent this concerning email from being sent in the future, or do I just have to remember to check when I receive it?

And thanks for the extremely quick response on this question!

@mnordhoff (I don’t want to ignore you) the email said 20 days left, but sudo certbot certificates shows 80 (see below). At one point I was having trouble configuring loutilities.com, but I think that was resolved. Is everything on my server or is there data at letsencrypt as well?

$ sudo certbot certificates
[sudo] password for lking:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: scoretility.com
    Domains: scoretility.com www.scoretility.com
    Expiry Date: 2019-06-13 21:38:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/scoretility.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/scoretility.com/privkey.pem
  Certificate Name: sandbox.steeplechasers.org
    Domains: sandbox.steeplechasers.org
    Expiry Date: 2019-04-17 10:40:24+00:00 (VALID: 31 days)
    Certificate Path: /etc/letsencrypt/live/sandbox.steeplechasers.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sandbox.steeplechasers.org/privkey.pem
  Certificate Name: sandbox.contracts.loutilities.com
    Domains: sandbox.contracts.loutilities.com
    Expiry Date: 2019-06-09 21:39:38+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/sandbox.contracts.loutilities.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sandbox.contracts.loutilities.com/privkey.pem
  Certificate Name: test.steeplechasers.org
    Domains: test.steeplechasers.org
    Expiry Date: 2019-06-10 21:42:10+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/test.steeplechasers.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.steeplechasers.org/privkey.pem
  Certificate Name: beta.scoretility.com
    Domains: beta.scoretility.com
    Expiry Date: 2019-06-12 21:42:33+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/beta.scoretility.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/beta.scoretility.com/privkey.pem
  Certificate Name: steeplechasers.org
    Domains: steeplechasers.org
    Expiry Date: 2019-04-18 22:42:27+00:00 (VALID: 33 days)
    Certificate Path: /etc/letsencrypt/live/steeplechasers.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/steeplechasers.org/privkey.pem
  Certificate Name: www.loutilities.com
    Domains: www.loutilities.com loutilities.com
    Expiry Date: 2019-06-06 10:38:14+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/www.loutilities.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.loutilities.com/privkey.pem
  Certificate Name: www.contracts.loutilities.com
    Domains: www.contracts.loutilities.com contracts.loutilities.com
    Expiry Date: 2019-06-05 10:38:53+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/www.contracts.loutilities.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.contracts.loutilities.com/privkey.pem
  Certificate Name: sandbox.scoretility.com
    Domains: sandbox.scoretility.com
    Expiry Date: 2019-06-13 21:38:31+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sandbox.scoretility.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sandbox.scoretility.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#7

Did you delete certificates?

Certificates shown there are not in your list.


#8

Yes. I was struggling to get it right. I suspect that I may receive emails about the deleted certs until they’re expired, then none after that.

I found the following in my log file, with related cert creations before and after.

2019-01-31 05:37 sudo certbot delete --cert-name loutilities.com # was causing error on certbot renew --dry-run
2019-01-06 07:24 sudo certbot delete --cert-name www.contracts.loutilities.com
2019-01-05 15:57 sudo certbot delete --cert-name loutilities.com
2019-01-04 12:51 sudo certbot delete --cert-name www.contracts.loutilities.com