Getting Expiry Email with DNS Renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.evanmingliu.com

I ran this command: Docker compose - Certbot Docker image with Cloudflare DNS plugin. Did not change domain name from last renewal to this time.

Here is the docker-compose for certbot, note it does have a wildcard domain, I am not sure if that is causing the issue.

certbot:
image: certbot/dns-cloudflare
restart: always
command: >-
certonly
--dns-cloudflare
--dns-cloudflare-credentials /root/cloudflare.ini
--dns-cloudflare-propagation-seconds 60
--email MY_EMAIL
--agree-tos
--no-eff-email
--force-renewal
-d evanmingliu.com
-d *.evanmingliu.com
volumes:
- certbot_etc:/etc/letsencrypt
- ./cloudflare.ini:/root/cloudflare.ini
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

It produced this output: A reminder email been send on 19 days left before expire (Feb 2nd), even though Cloudflare informed me the certificate already renewal at 30 days left (Jan 24th).

Certbot certificates command show similar info as Cloudflare notification:
Expiry Date: 2021-04-24 06:18:27+00:00 (VALID: 78 days)

My web server is (include version): Docker Image Nginx 1.19.4

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS, but its running docker, Nginx image uses Alpine Linux v3.12

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Welcome to the Let's Encrypt Community, Evan

Hi Griffin,

Thanks for the reply.

I read that blog before posting this question. The blog does say that I will not get an email notification if I renew with the exact same DNS names. Since it was renewed 30 days prior to expire, it should not trigger the 20 days left email either. I am confused on why it is not detecting my renewal even though both CF and Certbot itself show that renew is processed at exactly 30 days left. Is it because I am using DNS renew rather than regular HTTP renew?

Thanks

Hello @5f5l3j569jlfmyl,

Could you please paste the part of the mail you received with the list of affected domains?

I think you are receiving that mail because of one of these certificates:

X3  Final cert  evanmingliu.com          RSA 2048bit  2020-Nov-25 01:25 UTC  2021-Feb-23 01:25 UTC  18 days     evanmingliu.com

X3  Final cert  evanmingliu.com          RSA 2048bit  2020-Nov-24 22:36 UTC  2021-Feb-22 22:36 UTC  18 days     evanmingliu.com
                                                                                                                ide.evanmingliu.com
                                                                                                                metric.evanmingliu.com
                                                                                                                status.evanmingliu.com
                                                                                                                www.evanmingliu.com

X3  Final cert  status.evanmingliu.com   RSA 2048bit  2020-Nov-24 22:36 UTC  2021-Feb-22 22:36 UTC  18 days     status.evanmingliu.com

X3  Final cert  *.evanmingliu.com        RSA 2048bit  2020-Nov-24 20:55 UTC  2021-Feb-22 20:55 UTC  18 days     *.evanmingliu.com

And not because of the certificate that is covering evanmingliu.com and *.evanmingliu.com

Cheers,
sahsanu

Hi Sahsanu,

Sure, here is the email from CF:

Hi,

Cloudflare has observed issuance of the following certificate for evanmingliu.com or one of its subdomains:

Log date: 2021-01-24 07:18:27 UTC
Issuer: CN=R3,O=Let's Encrypt,C=US
Validity: 2021-01-24 06:18:27 UTC - 2021-04-24 06:18:27 UTC
DNS Names: *.evanmingliu.com, evanmingliu.com

And for LE:

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 22 Feb 21 22:36 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
Integration Guide - Let's Encrypt - Free SSL/TLS Certificates for details.

First email
evanmingliu.com
ide.evanmingliu.com
metric.evanmingliu.com
status.evanmingliu.com
www.evanmingliu.com

Second Email:
*.evanmingliu.com

Third Email:
evanmingliu.com

LE send out 3 emails with different address within the same day and time.

The mails you received are for other certificates covering another sub set of domains and not the one you renewed covering exactly evanmingliu.com and *.evanmingliu.com

Ok that make sense, those emails are informing about the address I messed up when I was testing with Production LE servers (which I shouldn't, thats what Staging is for, my bad).

I see on cert.sh that I did issue a cert for those subdomain on similar day as I issue my DNS certs

|2020-11-24|2020-11-24|2021-02-22|evanmingliu.com|evanmingliu.com
ide.evanmingliu.com
metric.evanmingliu.com
status.evanmingliu.com

Just to verify that I will be not getting more expiry email after this one since those sub domains cert will expire and only my DNS certs will be valid from this time on.

You should receive more mails regarding those certificates when left 10 days to expire and when left 1 day to expire. Just ignore them.

Thank you for the information, assistance and time.

I will mark the question as solved. Have a nice day

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.