Some devices getting SSL Cert Expiry Notice but it is already renewed in the server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certificate

It produced this output:
Certificate Name:
Serial Number: the number
Key Type: RSA
Expiry Date: 2023-05-01 22:18:46+00:00 (VALID: 89 days)
Certificate Path: the path
Private Key Path: the path

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: dovecot/postfix

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): dashboard and console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

I have force renewed it already and it shows it is valid. I did it from then route. However, some of our clients are getting certificate not valid or expired notices so I am very confused. Any help would be appreciated.
If there is any other information needed let me know.

if one changed list of (sub)domains in the certificate, LE notifier doesn't consider it as renewal and send renewal notice. you can safely ignore it if you saw updated cert.


So is it better to let out clients know to ignore i?
However, we did not add any sub domains recently.However, I will double check it.

Certbot doesn't know how to tell Dovecot or Postfix about the existence of the newly-renewed certificate, so it might be necessary to reload or restart these services manually, or provide a --deploy-hook to Certbot with a script or command line that restarts the affected services after a renewal.


Hi @erinam99, and welcome to the LE community forum :slight_smile:

Did you really think that would fix the problem?
[to all readers: please don't forcibly renew unexpired certs]


Well, that was unnecessary unfortunately. I see you've wasted two perfectly fine certificates indeed.

Forced renewal only makes sense if you want to change something to the contents of an already issued certificate, e.g. add or remove OCSP "must staple" or change the key lengt/type et cetera. If issuance was not an issue to begin with and you don't need to change the contents of the cert, there is absolutely no reason to force a renewal as it will not fix anything that went wrong the first place.


I already did that before and when we first got that issue hat resolved it. However this time it made no difference and only a selected group of people are having the issue.

Ah...I thought it will renew all sub domains again in case something was not fully updated and I missed.
I won't do that anymore.

1 Like

My bad.Thank you for the explanation that makes more sense. I was trying to look for explanations and all I found is some articles suggesting to force renew. I won't do that again.

1 Like

I'm afraid there's indeed a lot of incorrect information/advice out there :sob:


It sure is. Need to be more careful next time!
I will try checking other potential reasons and not touch the certificates anymore.

FYI: Postfix @ port 25 with STARTTLS at is using an expired certificate. IMAP @ port 143 with STARTTLS at is using the cert issued yesterday.


Thank you so much!!! I didn't notice that earlier!!!
I will take a look into how to renew that port now! Is there a safe way to do it?
(I'm sorry if my questions are kind of shallow...I don't know a lot when it comes to this area. Just started learning a few days ago.)


Who installed the existing cert into those other (email) programs?
And how?


It was an old employee who decided to set up a old mail server at some point...
I actually have no information of how it was exactly done.
I know someone who works remotely did renew them a few months ago. But they ran into the same problem again. Since now I know a port has expired I wonder if the SSL cert didn't actually renew for anyone and needs to be done by port?

Not the best of scenarios... but now we know what we're dealing with.

The cert is singular [and you have already renewed it].
See: |
The use is plural.
Now you need to either:

  • reboot to have all systems use the new cert
  • instruct each system to use the new cert
    [recreate steps that were not documented]

Not renew, but "let Postfix know to use the brand new certificate issued". Usually sudo postfix reload is enough.

If that doesn't work, it could be Postfix is configured in a strange way, e.g. not pointing to the correct files in /etc/letsencrypt/.


I will look into that. I've done a reload and tested it again..Seems to still have a similar problem unless I need to wait?
I will look into that as well! Thank you so much you saved me!


Thank you will look into that!
I will see if a reboot will fix it first.


Should be instant. Perhaps your Postfix is weirdly configured, please check its smtpd_tls_..... configuration.