I keep receiving emails that my certificate will expire

Hi all. I keep getting emails that my domain will expire from letsencrypt. But, when I go to renew, certbot tells me that I don’t need to renew. Any insights into what’s going on?

Thanks!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.largearcade.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.largearcade.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for largearcade.com
http-01 challenge for www.largearcade.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.largearcade.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

My web server is (include version): nginx

The operating system my web server runs on is (include version): debian

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @spinlock99,

Please read the bottom of the renewal reminder e-mail, which tries to explain this situation. If you can think of a way we could have made it clearer, I’d be glad to hear suggestions.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you’ve obtained a slightly different certificate by adding or removing names. If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

This certificate

https://crt.sh/?id=180364632

has been superseded by this one

https://crt.sh/?id=218582369

and therefore the old certificate doesn’t need to be renewed. However, there’s no way for the CA to know this because it doesn’t know whether these certificates are used on the same server or different servers. Therefore, the renewal reminder is for the old certificate, which has not been replaced by an identical certificate (but doesn’t need to be).

gotcha. that makes sense.

it might have been more clear if the email included all domains and certificates tied to me rather than just the one? honestly, i just recently set up the certificate so i’m still learning.

thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.