Getting Expiry Email with DNS Renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Docker compose - Certbot Docker image with Cloudflare DNS plugin. Did not change domain name from last renewal to this time.

Here is the docker-compose for certbot, note it does have a wildcard domain, I am not sure if that is causing the issue.

image: certbot/dns-cloudflare
restart: always
command: >-
--dns-cloudflare-credentials /root/cloudflare.ini
--dns-cloudflare-propagation-seconds 60
--email MY_EMAIL
-d *
- certbot_etc:/etc/letsencrypt
- ./cloudflare.ini:/root/cloudflare.ini
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

It produced this output: A reminder email been send on 19 days left before expire (Feb 2nd), even though Cloudflare informed me the certificate already renewal at 30 days left (Jan 24th).

Certbot certificates command show similar info as Cloudflare notification:
Expiry Date: 2021-04-24 06:18:27+00:00 (VALID: 78 days)

My web server is (include version): Docker Image Nginx 1.19.4

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS, but its running docker, Nginx image uses Alpine Linux v3.12

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

1 Like

Welcome to the Let's Encrypt Community, Evan :slightly_smiling_face:

1 Like

Hi Griffin,

Thanks for the reply.

I read that blog before posting this question. The blog does say that I will not get an email notification if I renew with the exact same DNS names. Since it was renewed 30 days prior to expire, it should not trigger the 20 days left email either. I am confused on why it is not detecting my renewal even though both CF and Certbot itself show that renew is processed at exactly 30 days left. Is it because I am using DNS renew rather than regular HTTP renew?



Hello @5f5l3j569jlfmyl,

Could you please paste the part of the mail you received with the list of affected domains?

I think you are receiving that mail because of one of these certificates:

X3  Final cert          RSA 2048bit  2020-Nov-25 01:25 UTC  2021-Feb-23 01:25 UTC  18 days

X3  Final cert          RSA 2048bit  2020-Nov-24 22:36 UTC  2021-Feb-22 22:36 UTC  18 days

X3  Final cert   RSA 2048bit  2020-Nov-24 22:36 UTC  2021-Feb-22 22:36 UTC  18 days

X3  Final cert  *        RSA 2048bit  2020-Nov-24 20:55 UTC  2021-Feb-22 20:55 UTC  18 days     *

And not because of the certificate that is covering and *



Hi Sahsanu,

Sure, here is the email from CF:


Cloudflare has observed issuance of the following certificate for or one of its subdomains:

Log date: 2021-01-24 07:18:27 UTC
Issuer: CN=R3,O=Let's Encrypt,C=US
Validity: 2021-01-24 06:18:27 UTC - 2021-04-24 06:18:27 UTC
DNS Names: *,

And for LE:


Your certificate (or certificates) for the names listed below will expire in 20 days (on 22 Feb 21 22:36 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
Integration Guide - Let's Encrypt - Free SSL/TLS Certificates for details.

First email

Second Email:

Third Email:

LE send out 3 emails with different address within the same day and time.

1 Like

The mails you received are for other certificates covering another sub set of domains and not the one you renewed covering exactly and *

1 Like

Ok that make sense, those emails are informing about the address I messed up when I was testing with Production LE servers (which I shouldn't, thats what Staging is for, my bad).

I see on that I did issue a cert for those subdomain on similar day as I issue my DNS certs


Just to verify that I will be not getting more expiry email after this one since those sub domains cert will expire and only my DNS certs will be valid from this time on.

1 Like

You should receive more mails regarding those certificates when left 10 days to expire and when left 1 day to expire. Just ignore them.

1 Like

Thank you for the information, assistance and time. :smiley:

I will mark the question as solved. Have a nice day


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.