Getting cert renewal email after renewing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.fleet.org

I ran this command: certbot-auto

It produced this output: Expected output

My web server is (include version): Apache 2.4, I think

The operating system my web server runs on is (include version): Fedora 30

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.0.0

I renewed my cert for www.fleet.org around Jan 10. Yesterday I got another expiration notice for it saying that the cert was due to expire Jan 31. That was true of the cert I replaced, so why am I getting another notice? Did Let’s Encrypt’s process “forgot” that I renewed?

Hi @anewton81

please read the link shared in the mail.

Checking your domain that looks wrong - https://check-your-website.server-daten.de/?q=fleet.org

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-01-11 2020-04-10 mail.fleet.org, www.fleet.org - 2 entries
Let’s Encrypt Authority X3 2019-11-02 2020-01-31 www.fleet.org - 1 entries
Let’s Encrypt Authority X3 2019-11-02 2020-01-31 mail.fleet.org, www.fleet.org - 2 entries

You have created a certificate with two domain names. The certificate with one domain name isn’t renewed -> that’s the mail. Letsencrypt doesn’t know which certificate you want to use.

Re: “please read the link shared in the mail.”

Which link? There are several. I’m guessing the one about expiry emails? That didn’t have enough information to address my question, but your post gave me some useful info, thanks.

I think a change to my DSL service that I made in November may have complicated things. I used to have a /28 subnet and mail.fleet.org and www.fleet.org had two different IP addresses. After the upgrade, I had a /30 subnet with only 1 usable IP address with port forwarding (internally, there are still two different IP addresses) where the mail address is the DNS A record, and the www address is a CNAME. Both still need certs (Androids won’t connect to a mail server without one).

Is there a better way for me to handle this use case? Do I need to change how I’m using letsencrypt if one of the addresses is now a CNAME?

When You Get an Expiration Email

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate.

That’s the answer why a mail was sent.

Thank you.

Do I need to do anything to remove the old certs? Or will this sort itself out as time goes on?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.