Receiving unpleasant mails

My domain is:actic.aprenonline.eu

My command and output follow

Apache 2.4 on Ubuntu 20.04

The version of my client is 0.40.0

Even though, as you can see in the output above, the certbot says the certificate is not due for renewal, I continue reveiving mails saying, by now, that certification will expire in 9 days!

Who's wrong? The certbot, or the mails?

Any help will be greatly appreciated.

Carles

Likely neither.
You should read the email closer.

For instance, the cert: crt.sh | 7204690705
Only covers the name:

X509v3 Subject Alternative Name: 
DNS:actic.aprenonline.eu

All subsequent certs that include that name also include more names:
crt.sh | 7484043016
covers:

X509v3 Subject Alternative Name: 
DNS:actic.aprenonline.eu
DNS:app.aprenonline.eu
DNS:borsa.aprenonline.eu

crt.sh | 7484071463
covers:

X509v3 Subject Alternative Name: 
DNS:actic.aprenonline.eu
DNS:app.aprenonline.eu
DNS:borsa.aprenonline.eu
DNS:concurs.aprenonline.eu

crt.sh | 7484123712
covers:

X509v3 Subject Alternative Name: 
DNS:actic.aprenonline.eu
DNS:app.aprenonline.eu
DNS:borsa.aprenonline.eu
DNS:concurs.aprenonline.eu

So, you see that there was no cert that renewed that exact same set of names.
The "good news" is that the emails stop once the certs expire.
That said, be prepared to receive emails about the following cert in the coming months:
crt.sh | 7484043016
Which is a unique set of names [that you will not likely renew].

Please show the output of:
certbot certificates

5 Likes

This. And the linked documentation within the email.

5 Likes

Thanks for your answe, Osiris.

The output you asked for is

Honestly, I do not understand why do I have to have so many certificates. If the first covers my four domains, why for the others?

Usually this is due to users trying Certbot out, starting with a single domain, not knowing it's possible to add multiple hostnames to a single certificate. When they find out and get a multi-SAN certificate, they're not aware of the certbot certificates command, not aware of the multiple certificates known to Certbot and Certbot just keeps renewing all certificates, as Certbot cannot know the actual use of the certs.

Also, your Certbot version is ancient. It's very possible more recent versions of Certbot had better detection of redundant certificates. Certbot currently would ask you if you'd like to expand an already existing certificate.

Looks like you have indeed 2 redundant certificates. You can delete those two superfluous ones, but you need to check if no service is using them first before deleting them.

4 Likes

Osiris,

I feel very sorry, but unfortunately I do not have the knowledge to follow your hints. Please, could you be more specific?. I understand that I certainly need help, since I know almost nothing about certs. All I have done, was done quite back. I just know the two basic commands of certbot!. Please, can you help me? Can you tell me what commands do I need to do the things you mentioned?

I would be infinitely grateful!

Carles

Missatge de Osiris via Let's Encrypt Community Support <notifications@letsencrypt.discoursemail.com> del dia ds., 15 d’oct. 2022 a les 13:17:

1 Like

You can learn more about deleting certs from Certbot at User Guide — Certbot 1.31.0 documentation. Please do read the part about safely deleting certificates carefully.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.