I received an email from expiry@letsencrypt.org with the subject "Let's Encrypt certificate expiration notice for domain "femtotech.it" and the following content:
Your certificate (or certificates) for the names listed below will expire in 6 days (on 2024-08-03)
But when I tried to renew my certificate on that domain it says it will expire on 2024-10-03, see below the details.
My domain is: femtotech.it
I ran this command: certbot renew
It produced this output:
Processing /etc/letsencrypt/renewal/femtotech.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/femtotech.it/fullchain.pem expires on 2024-10-03 (skipped)
No renewals were attempted.
My web server is (include version): nginx v1.18.0
The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v1.21.0
Hi! Compare the list of names in the email and the list of names in your active certificate. Read second and third sentences in the When You Get an Expiration Email section. Here they are:
We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate.
I'm pretty new to Let’s Encrypt but if I understood correctly:
the email contains this name only: femtotech.it.
My certficate:
# certbot certificates | grep Name
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate Name: femtotech.it
Hence it seems both the email and the active certificate has only one name and it is the same.
Actually I don't remember I added or removed other names, this is my only domain I have.
Ah ok, it makes sense now. Yes I have two domains: femtotech.it and www.femtotech.it but since we talked about "Names" there is only one name field in the certificate, hence my difficult to understand!
The field that matters here is "subject alternative names" (SANs), not "common name" (CN). The "common name" field has technically been obsolete for over two decades.
