Got email notitifcations about upcoming expiration but certbot-auto states 'not yet due for renewal'

psko · April 8, 2020, 5:34pm

Hi,

I got a second notification today (1st was one week ago) from let’s encrypt that states
“Your certificate (or certificates) for the names listed below will expire in 10 days (on 18 Apr 20 04:55 +0000)”

Whereas certbot-auto for like a month or so says it is not yet for renewal. I don’t know where’s the problem then? Cert served by my apache2 server correctly reports that cert’s expiration date is 21 May 2020. The exactly the same date is reported by certbot-auto (2020-05-21). So, either I don’t get something, or notification email was sent erroneously as it would not pick up last renewal?

My domain is:
adfinem.net (main domain, there are some more domains attached to the same cert)

I ran this command:
certbot-auto renew --allow-subset-of-names

It produced this output:
Cert not yet due for renewal
The following certs are not due for renewal yet:
…/fullchain.pem expires on 2020-05-21 (skipped)
No renewals were attempted.

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:
Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no, I’m using ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot-auto: certbot 1.3.0

mnordhoff · April 8, 2020, 5:48pm

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

You have an older certificate with fewer names.

You should be very careful about using that option. What if there's some kind of brief outage right while Certbot is running a renewal and half of the names are lost?

psko · April 8, 2020, 6:41pm

OK, that explains a lot! Thanks!

I assume "–allow-subset-of-names" is not an atomic operation, i.e. not enforced/protected by certbot script? So, what is the alternative? Having a separate cert of each domain?

mnordhoff · April 8, 2020, 6:54pm

What's your goal? The purpose of --allow-subset-of-names is to remove names that fail validation. It might be expected (you intentionally took down a website) or unexpected (brief DNS outage) but Certbot will remove them either way.

psko · April 8, 2020, 7:06pm

OK, I’m fine. Thanks for helping me!

system · May 8, 2020, 7:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.