Let's Encrypt certificate expiration notice


According to @jsha in Expiration Emails (Too Many, Unnecessary, etc.), I should start a thread when I receive an email which isn’t supposed to arrive.

I just received an email saying my certificate for domain mygroup.travel is about to expire, in 19 days. However, when I check with SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=mygroup.travel) it still has well over 2 months before the certificate isn’t valid anymore.

Thanks for taking a look.

Help us test renewal with "letsencrypt renew"

I think it’s fixed for certificates issued after March 17th, but there’s an open ops issue to make it work for older certificates as well. At least that’s what I got from this post:


Yep, @pfg is correct. We need to do a backfill of the FQDNSets table, which will get us the behavior we want both for rate limiting and for renewal emails. Sorry that’s taken longer than I expected. I spoke too soon on the other thread about when the renewal email fixes should take effect.


The backfill of the FQDNSets table is now done (since Thursday April 12) and you shouldn’t be getting expiration notices for certificates you’ve renewed.


Looks like it’s still having issues - got this yesterday - for a domain that been renewed already…

Your certificate (or certificates) for the names listed below will expire in 0 days (on 23 May 16 06:38 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.



crt.sh shows a number of non-expired certificates for that domain. However, they are not a perfect match - there’s an additional domain (master.roojs.com) on those certificates. Let’s Encrypt only looks at certificates with the exact same set of domain names when determining the expiration date.


Yes, it looks like when I initially set this up, I only did it for 2 domains, but when I finished I decided on using the same certificate for 3 domains.

so initially created a certificate for
roojs.com www.roojs.com

Then later on changed it to
roojs.com www.roojs.com master.roojs.com

I would agree with you, trying to handle this or similar situations is a bit of a can of worms, so probably not worth changing anything (the only result of it is that I get an extra email once… - not really a issue)

It may be worth adding some notes to the automated email

  • getting this email, but have already renewed? Let’sencrypt tracks set’s of domains, if you subsequently created a certificate with a different set of domains, then just ignore this message.