Got certificate expiry emails near term that's not due for renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sme62.org, www.sme62.org

I ran this command: n/a

It produced this output: n/a

My web server is (include version): n/a

The operating system my web server runs on is (include version): n/a

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

(1) I got an email on Nov 7 saying the certificate for only these two domains is due on Nov 27:

sme62.org
www.sme62.org

(2) I got an email today (Nov 15) saying the certificate for these domains is due on Nov 25:

enfeedia.com
keligo.com
llgorman.com
packetstacks.com
saddlebrookeranch.org
sme62.org
storiesofpetsbypetsforpets.com
www.enfeedia.com
www.keligo.com
www.llgorman.com
www.packetstacks.com
www.saddlebrookeranch.org
www.sme62.org
www.storiesofpetsbypetsforpets.com

Note that it includes the sme62.org and www.sme62.org domains (shown in bold). That seems to suggest I can ignore renewal notice email (1).

(3) About two weeks ago, I added two domains to the immediately above certificate, by listing all the domains of (2) and tacking on, so to speak, these domains:

womenofaction.club
www.womenofaction.club

I did a dry run renewal and get this following list of domains; note the ones in bold.

enfeedia.com
keligo.com
llgorman.com
packetstacks.com
saddlebrookeranch.org
sme62.org
storiesofpetsbypetsforpets.com
womenofaction.club

www.enfeedia.com
www.keligo.com
www.llgorman.com
www.packetstacks.com
www.saddlebrookeranch.org
www.sme62.org
www.storiesofpetsbypetsforpets.com
www.womenofaction.club

No domains were removed. The dry-run for this certificate shows it's not due for renewal until Jan 2, 2023.

I read some help file that says if I simply add a domain or domains to an existing certificate and include all the other domains currently on the certificate, I can ignore any expiration notice for the certificate that was prior to this addition. That seems to suggest I can ignore the renewal notice email (1) and (2).

(I'm puzzled why the domains in (1) are shown expiring but the others on the same certificate (2) are not listed in (1). There was never a time when the domains in (1) appeared by themselves on a certificate. Said another way, the first time I applied for a certificate, all the domains in (2) were included. )

I need firm confirmation that I can ignore the expiration notices for (1) and (2), the logic being that all the domains I want included in a certificate listed in the dry run of (3).

Thank you for your help, always appreciated.

Ken

Welcome Back to the Let's Encrypt Community, Ken!

Thank you, that was perfect.

I checked each domain (using Chrome) and all renew 1.2.2023. All have the same Common Name, which I know to be correct. Question: The Common Name is one of the domain names listed in the certificate. Is it fair to say I can update the certificate to remove any domain except the one that is the Common Name?

The common name field on a certificate has been officially obsolete for over 20 years now. The set of subject alternative names (SANs) is what matters. The SAN set should always include the common name.

https://groups.google.com/a/chromium.org/g/security-dev/c/IGT2fLJrAeo/m/csf_1Rh1AwAJ

No; Those are two very different certificates.
You need to read the email closer.

Only you can confirm that.
I'd start by rereading the email and visiting the site https://crt.sh/ and if you use certbot, run certbot certificates to cross-check what you now actually have (and can use) with what's being noticed to be expiring soon via those emails.

Or try using this site. With many names in cert it shows them better
https://tools.letsdebug.net/cert-search?m=domain&q=sme62.org&d=2160

Good link Mike!

(I like Mike's link very much also!)strong text

Because the certificate that expires in 47 days subsumes all the domains that appear in the certificates that expire in 9 and 11 days (which is all the domains I want on the certificate), I believe the only action I need to take is to renew the certificate that expires in 47 days when it becomes renewable. And just ignore the those two certificates expiring very soon. Please confirm.

I have no way to confirm.
I can only agree/disagree with your findings.
At this point, given: That you are NOT using any certs with any of these names anywhere else, I would have to agree with your conclusion.

Thank you. (Certs only being used with Let's Encrypt, i.e. I'm only "cert-ing" with Let's Encrypt.

Ken

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.