If you have received an expiration email for a certificate that you believe has already been renewed, you are in the right place.
What to Know
Let's Encrypt...
- sends an expiration email 20 a certificate expires, and another one 7 days before it expires
- will not send an expiration email for a renewed certificate
- considers a certificate to be renewed if a newer duplicate of that certificate has been issued
- considers a certificate to be a duplicate of another certificate if both certificates have the exact same list of subject alternative names (SANs), regardless of order
If you were issued a new certificate that...
- does include one or more (sub)domain names that your previous certificate did not include
- does not include one or more (sub)domain names that your previous certificate did include
then your new certificate is not considered a renewal of your previous certificate because your new certificate is not a duplicate of your previous certificate.
What to Do
Begin by determining which certificate is actually being served. While there are numerous ways to accomplish this, the simplest way is just to visit the website associated with the certificate in question then click on the padlock next to the address to view the certificate information. If the certificate shown expires in more than twenty days, the expiration email that you received was for a different certificate than the one being served.
For more information, you can use the Qualys SSL Labs Server Test to view detailed information about the entire certificate chain being served. Additionally, you can find detailed information about every Let's Encrypt certificate ever issued to you by searching with crt.sh.