Is my certificates really expired today? ssl-cert-check says Valid Sep 9 2017

Hello!

Is there somekind of bug?

I got today this message.

Your certificate (or certificates) for the names listed below will expire in
0 days (on 11 Jul 17 14:28 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

And I run example this
/etc/letsencrypt/archive/eco-toimistotarvikkeet.fi ssl-cert-check -c cert8.pem

FILE:cert8.pem Valid Sep 9 2017 60

I run this command every sites and non of them expired

So can anyone check is my certificates really expired today or not?







static.kassakaappi.net

template.eco-toimistotarvikkeet.fi
template.kassakaappi.net
template.proficient.fi


www.kassakaappi.net

I run certbot-auto renew
and here is result none of these sites are expired.


Processing /etc/letsencrypt/renewal/hiekkalaatikko.kassakaappi.net.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/eco-toimistotarvikkeet.fi.conf

Cert not yet due for renewal


Processing
/etc/letsencrypt/renewal/hiekkalaatikko.eco-toimistotarvikkeet.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/static.eco-toimistotarvikkeet.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/proficient.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/template.proficient.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/hiekkalaatikko.proficient.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/kassakaappi.net.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/template.kassakaappi.net.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/static.proficient.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/template.eco-toimistotarvikkeet.fi.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/static.kassakaappi.net.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/hiekkalaatikko.kassakaappi.net/fullchain.pem (skipped)
/etc/letsencrypt/live/eco-toimistotarvikkeet.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/hiekkalaatikko.eco-toimistotarvikkeet.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/static.eco-toimistotarvikkeet.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/proficient.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/template.proficient.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/hiekkalaatikko.proficient.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/kassakaappi.net/fullchain.pem (skipped)
/etc/letsencrypt/live/template.kassakaappi.net/fullchain.pem (skipped)
/etc/letsencrypt/live/static.proficient.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/template.eco-toimistotarvikkeet.fi/fullchain.pem (skipped)
/etc/letsencrypt/live/static.kassakaappi.net/fullchain.pem (skipped)
No renewals were attempted.

Yours Timo

You’re correct, at least for the few I spot-checked. That email is referring to certificates you generated previously (on April 12 for the first and last ones, and probably the rest as well)

Example: https://crt.sh/?id=117608596

Note that this email will be sent for any certificates expiring, regardless of whether or not you renewed them. Since you did, you don’t need to worry about it.

That's not quite true, we don't email about expiration for renewed certificates. The expiration email documentation explains more verbosely about When You Get an Expiration Email:

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Since the set of names on the certificates changed between some of these issuances, they aren't renewals and so they get an expiration email when approaching their "not after" date.

Hope that helps clarify,

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.