Let's Encrypt/Certbot Disagreement - Expiration Warning Email

I received an email from Let’s Encrypt warning that my certificate for admin.electronicvisions.com will expire on Sep 17.
When I run “certbot certificates” to see when my certs will expire, I got this:
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: admin.electronicvisions.com
Domains: admin.electronicvisions.com,mail.electronicvisions.com
Expiry Date: 2017-11-15 15:25:00+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/admin.electronicvisions.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/admin.electronicvisions.com/privkey.pem
-------------------------------------------------------------------------------

Since, as I understand it, all Let’s Encrypt certs are for 90 days, this one must have been renewed more than two weeks ago. So what is going on here?

Is my cert really going to expire? If so, why does my local system think otherwise? If not, why does Let’s Encrypt seem to think otherwise? I am very confused and, having evacuated from my coastal city in Central Florida, I don’t know if I will even be allowed to go home before the expiration date, so I’d REALLY Like to resolve this before power is lost and I can still get a remote shell to fix whatever I need to fix!

(PS: 4-5 leading spaces for pre-formatted text on this message board doesn’t seem to be working!)

Hi @nurbles,

I believe you are seeing an expiration notice for this certificate that only covered admin.electronicvisions.com. The certificate your software has been renewing is for admin.electronicvisions.com and mail.electronicvisions.com.

We explain why this warning was sent in our expiration email docs:

We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

I don’t believe you will need to do anything and you can safely ignore the expiration email since its for a certificate you’ve replaced.

Best of luck with the evacuation. I can only imagine how stressful that must be. :heart:

1 Like

Thanks, I was matching the cert NAME with the name given in the email and they match exactly. Silly me for thinking the names had value.

As for Irma … we just keep praying that she goes far enough East to leave the houses intact. Power failures and a broken window are livable, but Irma could make things a whole lot worse than that if she’s to close to shore (or worse, right over it!)

Thanks for the good luck wishes , and the explanation.

1 Like

I’m afraid not. Certbot tries to pick a decent name, but it doesn’t matter in any technical way, and Let’s Encrypt the CA doesn’t even know it.

You could have used “--cert-name something-silly” when creating the certificate, if you wanted to.

Certbot defaults to naming a new certificate after the first name you passed on the command line. The Let’s Encrypt warning email Subject seems to use the first name alphabetically in the certificate (or the certificate’s Common Name?), which is often the same thing, but not always.

Good luck and stay safe. I’m north of Orlando, far from the coast. We may have power outages and some damage, but no evacuations, at least.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.