LE Expiry bot reporting incorrect expiry dates

I have LE installed on Ubuntu Server 14.04 LTS for a few domains and the Expiry bot has been misreporting the expiry dates of the certificates. For example, I got an email this morning that certificates for two domains (certs are for both root domain and www domain) are expiring in 0 days.

I have an automated cron job for LE, so I checked the le-renew.log file and found both these domains had failed to renew:

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain01.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/www.domain01.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/domain02.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/www.domain02.org.in/fullchain.pem (failure)

Next, I ran certbot certificates and found that the cert for domain01 was valid for another 6 days and that for domain02 was valid for another 23 days! These validity dates also match what I see in the browser.

Certificate Name: domain01.org.in
Domains: domain01.org.in
Expiry Date: 2017-12-15 12:29:00+00:00 (VALID: 6 days)
Certificate Path: /etc/letsencrypt/live/domain01.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain01.org.in/privkey.pem
Certificate Name: www.domain01.org.in
Domains: www.domain01.org.in
Expiry Date: 2017-12-15 12:33:00+00:00 (VALID: 6 days)
Certificate Path: /etc/letsencrypt/live/www.domain01.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.domain01.org.in/privkey.pem

Certificate Name: domain02.org.in
Domains: domain02.org.in
Expiry Date: 2018-01-01 11:06:14+00:00 (VALID: 23 days)
Certificate Path: /etc/letsencrypt/live/domain02.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain02.org.in/privkey.pem
Certificate Name: www.domain02.org.in
Domains: www.domain02.org.in
Expiry Date: 2018-01-01 11:22:59+00:00 (VALID: 23 days)
Certificate Path: /etc/letsencrypt/live/www.domain02.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.domain02.org.in/privkey.pem

Can anyone here explain why the LE expiry bot is misreporting the dates?

Also, any suggestions for why the cert renewals are failing?

For what it’s worth, I have run apt-get update and apt-get upgrade which seemed to include a bunch of python related stuff that certbot relies on, but I haven’t yet force-renewed the certs themselves as I am more curious about the discrepancy in the LE expiry bot dates versus what certbot certificates command shows.

Thanks in advance.

It seems you have multiple valid certs for your domains and some of them are expiring.
You may no longer be using some of them but the “expiry email system” has no way of knowing which certs are no longer being used.

Thanks. I do have multiple valid certs for my domains, but I am not sure that some are expiring earlier (for example, cert for www domain expiring earlier or later than the cert for root domain) because, if you look at the output of certbot certificates, it shows the expiry dates for all the domains (root and www domains) being the same. This contradicts the expiry dates indicated by the expiry bot and is what prompted my original question.

You don’t seem to be understanding me clearly.
You must have issued multiple valid certs for the exact same domain name.
One of them is expiring, one of them hasn’t yet expired.
This situation may be occurring multiple times for your multiple domains.
But the problem remains the same, you have been issued a valid expiring cert for “domain.com” and are using another valid cert for “domain.com”.
…which explains the email received.

Now as for the renewal "(failure)"s, that is another problem that needs to be addressed; but is probably unrelated to the expiry email.
For that, please show more detail on the failure reason from the LE log file.

When starting a thread in the “Help” category, the forum asks a bunch of questions; the “Server” category unfortunately doesn’t. Could you fill this out?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

If your le-renew.log file contains “certbot renew”'s output, the /var/log/letsencrypt/ directory will contain more extensive log files.

The expiration emails with the unexpected dates – explained by rg305 – and the failure to renew are separate issues though.

Certbot normally starts trying to renew certificates when they have 30 days left, so if it’s been failing for 24+ days, with dozens of renewal attempts, there’s definitely more than a temporary error.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.