Let's Encrypt certificate expiration notice - why?

PaulGuijt · April 20, 2019, 2:16pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I received a Let’s Encrypt certificate expiration notice for domain “paulguijt.nl”. But why?

My domain is: paulguijt.nl

I ran this command: sudo certbot certificates

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: paulguijt.nl
Domains: paulguijt.nl rarediseasesresearch.eu www.paulguijt.nl www.rarediseasesresearch.eu
Expiry Date: 2019-07-12 06:44:45+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/paulguijt.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/paulguijt.nl/privkey.pem

My web server is (include version): offline now, but normally Apache latest

The operating system my web server runs on is (include version): Raspbian

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

JuergenAuer · April 20, 2019, 2:24pm

Hi @PaulGuijt

your last certificates ( https://check-your-website.server-daten.de/?q=paulguijt.nl ):

CRT-Id	Issuer	not before	not after	Domain names
1384838200	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2019-04-13 04:44:45	2019-07-12 04:44:45	paulguijt.nl, rarediseasesresearch.eu, www.paulguijt.nl, www.rarediseasesresearch.eu
4 entries
1158094934	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2019-01-30 09:35:08	2019-04-30 08:35:08	paulguijt.nl, rarediseasesresearch.eu, www.paulguijt.nl, www.rarediseasesresearch.eu
4 entries
1157796189	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2019-01-30 07:36:42	2019-04-30 06:36:42	paulguijt.nl
1 entries
962647269	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2018-11-20 18:18:04	2019-02-18 18:18:04	paulguijt.nl, rarediseasesresearch.eu, www.paulguijt.nl, www.rarediseasesresearch.eu
4 entries
812916702	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2018-09-11 11:26:03	2018-12-10 12:26:03	paulguijt.nl, rarediseasesresearch.eu, www.paulguijt.nl, www.rarediseasesresearch.eu
4 entries
551637351	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2018-06-22 12:59:58	2018-09-20 12:59:58	paulguijt.nl, rarediseasesresearch.eu, www.paulguijt.nl, www.rarediseasesresearch.eu
4 entries

You use a certificate with 4 domain names. But there is a certificate with one domain name without a newer certificate.

--> that produces the mail.

So ignore the mail.

tialaramex · April 20, 2019, 2:26pm

The expiration notice tells you the exact set of names on the certificate it sees not being renewed. The Let’s Encrypt backend systems consider that if you have other certificates, which cover some or all of the same names but not the exact same list, that’s different and it can’t tell if you need to renew both.

In your case, you have a certificate for the long list of names you gave in your message (including rarediseasesresearch.eu) and one for just paulgujit.nl on its own. The latter has not been renewed. There’s no need to do so if in fact you only use the certificate with all the names in, but the renewal warnings don’t know this and so they will warn you anyway.

PaulGuijt · April 20, 2019, 2:38pm

Ah, Thanks!

Vriendelijke groet,

Paul

PaulGuijt · April 20, 2019, 2:39pm

Ah, Thanks too.

Vriendelijke groet,

Paul

system · May 20, 2019, 2:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.