Invalid certificate expiration notice email

My domain is:

daveandlaura.org blog.daveandlaura.org boxes.daveandlaura.org carrollrd.daveandlaura.org www.daveandlaura.org

I ran this command:

sudo certbot certificates

It produced this output:

Found the following certs:
Certificate Name: daveandlaura
Domains: daveandlaura.org blog.daveandlaura.org boxes.daveandlaura.org carrollrd.daveandlaura.org www.daveandlaura.org
Expiry Date: 2020-07-30 23:00:18+00:00 (VALID: 70 days) # <— Actual expiration date
Certificate Path: /etc/letsencrypt/live/daveandlaura/fullchain.pem
Private Key Path: /etc/letsencrypt/live/daveandlaura/privkey.pem

My web server is (include version):

Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

I received an email message stating that my daveandlaura.org domains are about to expire.
Message:

Hello,
Your certificate (or certificates) for the names listed below will expire in 10 days (on 31 May 20 18:26 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

blog.daveandlaura.org
daveandlaura.org
www.daveandlaura.org

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you’ve obtained a slightly different certificate by adding or removing names.

If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=42b0423748cb4f1eb81ae6c98b5bee8f.Oz2fkGmnJWabP6STrexIl9Il4yk%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dd%2A%2A%2A%2A%40d%2A%2A%2A%2A.%2A%2A%2A

Regards,
The Let’s Encrypt Team

As you can see from the certbot output above, those domains don’t expire until 2020-07-20, 70 days from now.

So, I don’t understand why I have received this email.
Input appreciated.

Thanks,
D.

1 Like

If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

Your current certificate has 2 more subdomains than the one in the email.

1 Like

I believe I re-issued the original, adding the additional subdomains (hosts, actually).
Why would Lets Encrypt still have the old certificate?
This is the command I used:
certbot
certonly
–cert-name daveandlaura
–agree-tos
–apache
-d daveandlaura.org
-d blog.daveandlaura.org
-d www.daveandlaura.org
Thanks.

1 Like

Let’s Encrypt has a record of every certificate they’ve ever issued. The expiration emails are based on those records. They don’t know what certificates you’re actually using, or whether you’ve replaced one with another.

(Certbot, your ACME client, might know that you’ve replaced one certificate with another, but that information is not available to the CA.)

Therefore you’re getting emailed about the old certificate(s).

https://crt.sh/?Identity=daveandlaura.org&deduplicate=Y

1 Like

Okay. That makes a certain amount of sense.
Is there any way to “inform” Let’s Encrypt that the previous certificate is no longer in use?
Emails like this are worse than noise because when you get one you have to take the time to double-check the actual state of your certificates.

Thanks.

1 Like