Renewed domains do not look renewed and receive Lets Encrypt emails

kosimek · December 17, 2019, 9:16pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.otpxs.com

I ran this command:
certbot-auto certificates

It produced this output:
Found the following certs:
Certificate Name: www.otpxs.com
Domains: www.otpxs.com otpxs.ca otpxs.com otpxs.eu www.otpxs.ca www.otpxs.eu
Expiry Date: 2020-03-16 16:32:31+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.otpxs.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.otpxs.com/privkey.pem

My web server is (include version):
Apache 2.2.15

The operating system my web server runs on is (include version):
CentOS 6.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
1.0.0

As shown above, the certificate does not expire until 2020-03-16 according to “certbot-auto certificates” and yet I get an email telling me that it renews soon.
When I go to crt.sh to check the www.otpxs.com domain it shows 2 certificates (no idea why there are 2) and they both are shown to expire in early January 2020 instead of March 2020.

crt.sh ID 1988178444
Validity
Not Before: Oct 10 16:13:20 2019 GMT
Not After : Jan 8 16:13:20 2020 GMT
Subject: commonName = www.otpxs.com

crt.sh ID 1980747422
Validity
Not Before: Oct 10 16:13:20 2019 GMT
Not After : Jan 8 16:13:20 2020 GMT
Subject: commonName = www.otpxs.com

I have looked at the other posts with similar issues regarding receipt of renewal emails and I do not believe those apply to me. Why does crt.sh not show the same expiry date in March of next year and why do I get these emails. The same reason, whatever that is, I suppose.
Thanks.

ski192man · December 17, 2019, 9:33pm

crt.sh is not working right now due to a database issue. Browsing to your website it has a correct expiry date of March 16, 2020. Try using google certificate transparency

Emails can sometimes be misleading, if you add or remove subdomains it will still trigger an email. Because it looks for an exact match certificate, if you change anything on it it will see it as a new one and still send an email about the old one.

kosimek · December 17, 2019, 9:50pm

@ski192man
Thanks, I can see the list and am surprised to see the duplication but I have no idea how to remove the ones that are still showing to be expiring in January.

Also, the first time I installed the certificate for one of my websites and it asked me which websites to create it for, I was under the mistaken assumption that it would allow me to create several certificates at once. It was suggested I delete the other ones by omitting the -d option for the other domains but clearly it did not remove them from the certificate.

If I look at the crt.sh results for plesman.info it still shows the otpxs.com and a site called parxx.com even though I removed those domains from the certificate, at least I thought I did.

The certificates listed on https://crt.sh/?id=1974037598 and https://crt.sh/?id=1977171517 should therefore both be removed altogether. How can I get rid of those? That may be where the certificates expiring in January come from and is not having them removed going to cause a problem on January 8th?
Thanks

ski192man · December 17, 2019, 10:01pm

Certificates cannot be removed from certificate transparency, ever. It is simply a log of all certs you have issued. If you don’t use the nearly expiring certificates on your server, and browsing to your website shows a proper expiration date there isn’t any further action you need to take.

kosimek · December 18, 2019, 12:27am

@ski192man
That’s a relief. When I look at the certificates in the browser they all show an expiry date in March so I should be good then. Will keep my fingers crossed nevertheless.
Thanks for the help

system · January 17, 2020, 12:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.