Keep getting email warning of expiry but certbot renewed the cert 18 days ago


#1

I’ve got certbot set up and working fine. I set it up on October 4 and did two test renewals so for two months I had a cert like this:

        Validity
        Not Before: Oct  4 23:28:00 2016 GMT
        Not After : Jan  2 23:28:00 2017 GMT

Then, along comes December 4, and certbot did its job:

        Validity
        Not Before: Dec  4 03:00:00 2016 GMT
        Not After : Mar  4 03:00:00 2017 GMT

Looking at the logs, it all seems right:

-rw-r--r--  1 root root   1483 Dec  3 00:00 letsencrypt.log.43
-rw-r--r--  1 root root   1483 Dec  3 12:00 letsencrypt.log.42
-rw-r--r--  1 root root 249563 Dec  4 00:00 letsencrypt.log.41
-rw-r--r--  1 root root   1483 Dec  4 12:00 letsencrypt.log.40
-rw-r--r--  1 root root   1483 Dec  5 00:00 letsencrypt.log.39

Select lines from log 41:

2016-12-04 04:00:06,401:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-01-03 00:11:00 UTC.
2016-12-04 04:00:06,401:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
...
_a lot of renewal activity_
...
2016-12-04 04:00:30,206:DEBUG:certbot.renewal:no renewal failures

The current cert in the live directory is the one renewed on December 4, and it is working and has all the right alternative names.

So my question then is, why have I received the following messages :slight_smile:

From: Let’s Encrypt Expiry Bot expiry@letsencrypt.org
Subject: Let’s Encrypt certificate expiration notice
Date: Wed, 14 Dec 2016 19:23:43 +0000

Hello,

Your certificate (or certificates) for the names listed below will expire in 18 days (on 02 Jan 17 01:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

And

From: Let’s Encrypt Expiry Bot expiry@letsencrypt.org
Subject: Let’s Encrypt certificate expiration notice
Date: Fri, 23 Dec 2016 01:16:44 +0000

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 02 Jan 17 01:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

Note how the email quotes the original expiry time. But my actual installed certificates are current and good until March.

Apache and is using the current certificates. I’ve got my own custom hook and I’ve tested that it is run by systemd’s invocation of certbot (now; it wasn’t actually run when the certificates renewed so until just a few minutes ago one of my non-Apache services was still serving the previous version of the cert, expiring in January, but I doubt your service that sent the email knew that or cared :slight_smile:) .

echo | openssl s_client -connect jacknife.org:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Dec  4 03:00:00 2016 GMT
notAfter=Mar  4 03:00:00 2017 GMT

Is the renewal email in error and spurious? Or is something really wrong? :slight_smile:

My primary domain is jacknife.org.


#2

The first cert you obtain did not include some mail related subdomains. For renewal purposes the system treats this separately to the other 3 certs.


#3

That makes perfect sense. Unfortunately it was not obvious to me because the list of domains in the email was only slightly different than the actual list (and my memory faded after 2 months).

I’m not sure I have a suggestion on how to make it more obvious, though, either :slight_smile:

Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.