Getting spurious expiration notices

It seems people frequently run into the situation where LE says a domain (or several) are expiring in N days, and to renew, but when they look at it, the cert has plenty of time left. The result is invariably that the email is telling them about a different domain that's expiring and didn't get renewed.

I've gotten a few emails lately that were unexpected, since my certs renew automatically pretty reliably. I checked my certs by looking at them in Safari’s cert inspector, and saw that they expire months from now.

But I just got another email (two actually) saying they expire in 0 days:

Hello,

Your certificate (or certificates) for the names listed below will expire in 0 days (on 2024-06-04). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

latencyzero.com
latencyzero.llc
www.latencyzero.com
www.latencyzero.llc

For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.

To learn more about the latest technical and organizational updates from Let's Encrypt, sign up for our newsletter: https://letsencrypt.org/opt-in/

If you are receiving this email in error, unsubscribe at:
 <redacted>
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.

Regards,
The Let's Encrypt Team

I checked all the certs using some online SSL checker. They all expire in 60 days. So what, precisely, should I be looking for?

A certificate you probably replaced.

3 Likes

Ah I see. It would be nice if the emails included the certificate serial number or some other unambiguous identifier.

Will the emails for this particular cert stop?

You created certs earlier with one to five domain names. You later created a cert with six domain names and renewed that successfully.

Let's Encrypt is warning about those earlier certs that were not renewed. For your purposes the more recent certs with more names are probably a replacement. But LE cannot know that you might have still used those older certs. That is why you get the warning email. See your cert history with a tool like below

https://tools.letsdebug.net/cert-search?m=domain&q=latencyzero.com&d=4320

5 Likes

This has been mentioned quite a few times, but unfortunately the Let's Encrypt team has decided in the past not to do this. Unfortunately the emails contain a list of hostnames without any separation between the different certificates.

Personally I'd like to see a list of certificates with serial number and the hostnames per certificate.

4 Likes

Yeah, it's interesting that the email from the Staging system is formatted differently. I find having all this info together is clearer than the production system email. That one has the date and days in the leading sentence and the list of names later on without any title.

Details:
DNS Names: example.com 
www.example.com
Expiration Date: 2024-05-16
Days to Expiration: 20
5 Likes
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.