I've got certbot set up and working fine. I set it up on October 4 and did two test renewals so for two months I had a cert like this:
Validity
Not Before: Oct 4 23:28:00 2016 GMT
Not After : Jan 2 23:28:00 2017 GMT
Then, along comes December 4, and certbot did its job:
Validity
Not Before: Dec 4 03:00:00 2016 GMT
Not After : Mar 4 03:00:00 2017 GMT
Looking at the logs, it all seems right:
-rw-r--r-- 1 root root 1483 Dec 3 00:00 letsencrypt.log.43
-rw-r--r-- 1 root root 1483 Dec 3 12:00 letsencrypt.log.42
-rw-r--r-- 1 root root 249563 Dec 4 00:00 letsencrypt.log.41
-rw-r--r-- 1 root root 1483 Dec 4 12:00 letsencrypt.log.40
-rw-r--r-- 1 root root 1483 Dec 5 00:00 letsencrypt.log.39
Select lines from log 41:
2016-12-04 04:00:06,401:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-01-03 00:11:00 UTC.
2016-12-04 04:00:06,401:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
...
_a lot of renewal activity_
...
2016-12-04 04:00:30,206:DEBUG:certbot.renewal:no renewal failures
The current cert in the live directory is the one renewed on December 4, and it is working and has all the right alternative names.
So my question then is, why have I received the following messages 
From: Let's Encrypt Expiry Bot expiry@letsencrypt.org
Subject: Let's Encrypt certificate expiration notice
Date: Wed, 14 Dec 2016 19:23:43 +0000
Hello,
Your certificate (or certificates) for the names listed below will expire in 18 days (on 02 Jan 17 01:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
And
From: Let's Encrypt Expiry Bot expiry@letsencrypt.org
Subject: Let's Encrypt certificate expiration notice
Date: Fri, 23 Dec 2016 01:16:44 +0000
Hello,
Your certificate (or certificates) for the names listed below will expire in 10 days (on 02 Jan 17 01:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
Note how the email quotes the original expiry time. But my actual installed certificates are current and good until March.
Apache and is using the current certificates. I've got my own custom hook and I've tested that it is run by systemd's invocation of certbot (now; it wasn't actually run when the certificates renewed so until just a few minutes ago one of my non-Apache services was still serving the previous version of the cert, expiring in January, but I doubt your service that sent the email knew that or cared ) .
echo | openssl s_client -connect jacknife.org:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Dec 4 03:00:00 2016 GMT
notAfter=Mar 4 03:00:00 2017 GMT
Is the renewal email in error and spurious? Or is something really wrong?
My primary domain is jacknife.org.
