Letsencrypt renewal emails say my cert expires Sept. 2 but certbot says it's good untill Nov. 1

Hi - I’m getting mails from letsencrypt that say my certificate expires on Sept. 2. But certbot says the certificate is good until Nov. 1. This was the first website where I set up Letsencrypt and it’s possible I accidentally set up two certificates with the same name a few months ago. I’ll paste in a history | grep certbot below.

Here is the email from letsencrypt. The sender, “Let’s Encrypt Expiry Bot,” suggests it really did come from Letsencrypt. The email header shows it originated from Mailchimp, so it was an automated email.

From: Let's Encrypt Expiry Bot <expiry@letsencrypt.org>
Sent: Friday, August 23, 2019 10:02 AM
To: Greg Scott <GregScott@infrasupport.com>
Subject: Let's Encrypt certificate expiration notice for domain "infrasupport.com" (and 1 more)

Hello,

Your certificate (or certificates) for the names listed below will expire in 9 days (on 02 Sep 19 14:59 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

infrasupport.com

[www.infrasupport.com](http://www.infrasupport.com)

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=04d9c5ecfc614309baca6b572223832a.CQi6K%2B2w6j90dW1K2KrKc%2FAmmrs%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dgregscott%2540infrasupport.com

Regards,

The Let's Encrypt Team

Here is the rest of what help forum posts ask for:

My domain is:

infrasupport.com

I ran this command:
certbot certificates

It produced this output:

[root@www ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: www.infrasupport.com
Domains: www.infrasupport.com
Expiry Date: 2019-11-01 16:26:59+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/www.infrasupport.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.infrasupport.com/privkey.pem


[root@www ~]#

My web server is (include version): Apache (httpd) on Fedora 30

The operating system my web server runs on is (include version): Fedora 30

My hosting provider, if applicable, is: a VM in my basement

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

[root@www ~]# certbot --version
certbot 0.35.1

And here is a history of my certbot commands. You can see my certbot destroy command after my first attempt didn’t work properly because of a cerbot bug with new versions of Fedora earlier in 2019. Is it possible my certbot destroy did not get rid of something inside Letsencrypt?

[root@www ~]# history | grep certbot
683 dnf list | grep certbot
691 certbot certonly
692 certbot --help
693 certbot --webroot
694 certbot --help plugins
695 certbot certonly --webroot
696 certbot certonly --webroot --installer apache
700 certbot certonly
706 certbot certonly
710 certbot --help
711 certbot -d infrasupport.com
712 certbot certonly --webroot
713 certbot certificate infrasuport.com
714 certbot certificates -d infrasuport.com
715 certbot certificates
716 certbot renew
727 cd certbot_apache
736 certbot destroy
737 certbot --help
738 certbot delete
741 cd certbot_apache
791 certbot certonly --webroot
801 certbot renew
850 certbot renew
851 man certbot
852 certbot help
853 certbot certificates
854 certbot --version
855 certbot-auto --version
856 history | grep certbot
[root@www ~]#

thanks

- Greg Scott

Hi @gregscott,

Most people who post about this seem not to have paid close attention to this text:

In this case, the reminder e-mail is correct and refers to this certificate

https://crt.sh/?id=1549250519

You may have replaced that certificate (which expires in September) with this one

https://crt.sh/?id=1746422467

which expires in November, but the new certificate covers only www.infrasupport.com and not infrasupport.com. That means that https://infrasupport.com/ is (already!) a certificate mismatch error in browsers that distinguish the www. subdomain from the base domain for certificate validation purposes (typically, everything other than Google Chrome). The expiry reminder e-mail was due to the fact that your new certificate does not have the same name coverage as your old one.

1 Like

Thanks. That sounds like just what happened. Sorry for the hassle - I missed the different names. I also missed this sentence in the documentation:

If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

thanks

- Greg

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.