Received Expiration Email But Already Renewed Certificate: What to Know and Do

If you have received an expiration email for a certificate that you believe has already been renewed, you are in the right place. :slightly_smiling_face:

What to Know

Let's Encrypt...

  • sends an expiration email twenty days, ten days, and one day before a certificate expires
  • will not send an expiration email for a renewed certificate
  • considers a certificate to be renewed if a newer duplicate of that certificate has been issued
  • considers a certificate to be a duplicate of another certificate if both certificates have the exact same list of subject alternative names (SANs), regardless of order

If you were issued a new certificate that...

  • does include one or more (sub)domain names that your previous certificate did not include
  • does not include one or more (sub)domain names that your previous certificate did include

then your new certificate is not considered a renewal of your previous certificate because your new certificate is not a duplicate of your previous certificate.

What to Do

Begin by determining which certificate is actually being served. While there are numerous ways to accomplish this, the simplest way is just to visit the website associated with the certificate in question then click on the padlock next to the address to view the certificate information. If the certificate shown expires in more than twenty days, the expiration email that you received was for a different certificate than the one being served.

For more information, you can use the Qualys SSL Labs Server Test to view detailed information about the entire certificate chain being served. Additionally, you can find detailed information about every Let's Encrypt certificate ever issued to you by searching with crt.sh.

7 Likes

Clear, concise, and understandable by people of all tech expertise. Well done!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.