We use a single wildcard cert covering multiple domains. I’m getting emails from expiry@letsencrypt.org, saying it will expire in eight days’ time. Yet when I check the expiry on the issued cert using https://www.geocerts.com/certificate-decoder
it says they won’t expire until two and a half months.
This was previously discussed in Expiry notice when domains certs aren’t expiring
and the reason is that since the original cert was issued, we have changed the list of domains being issued. This issue will cause confusion to all those who haven’t found the linked thread. Is there no way of only generating these emails if the cert is actually expiring? No way of comparing current versus original domain list?
I don't think its necessary to find that thread to understand this issue. The expiry emails link to our documentation: Expiration Emails - Let's Encrypt, which explains "When You Get an Expiration Email":
If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.
The certificate that we emailed about is actually expiring. You've replaced it with a different certificate that isn't expiring, but it isn't a renewal because the names changed: its two separate certificates with some overlapping subjects. You know as the operator that while they are two different certificates one is a logical replacement of the other. There's no way for Let's Encrypt to automatically figure that out in a way that is reliable enough that it wouldn't cause false-positives.