When I can renew certification using certbot in manual mode


I use certbot to have certificate and I use Authenticator written in python to upload http challange to the server.

I receive the email from letsencrypt that my cert need to be renewed

Your certificate (or certificates) for the names listed below will expire in
20 days (on 02 May 18 07:30 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

but when I run the command I use to get new certificate I got error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not yet due for renewal
Keeping the existing certificate

Certificate not yet due for renewal; no action taken.

first domain that I use was www.domektkaczki.pl when I check the cert in google chrome it show that it expire on 22 of June 2018 it was created on 24 of March. I was adding it few times because I was adding new subdomains. 24 of March was last time when I was adding one sub domain.

When I can renew certificate and run the command successfuly? Is everything is Ok. with the cert. Maybe something is wrong with the email service.

And today I just got another email that my cert is going to expire in 10 days but no www.domektkaczki.pl on the list this time.


What is the output of certbot certificates?

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: www.domektkaczki.pl
    Domains: www.domektkaczki.pl access.jcubic.pl dev.medica.sklep.pl firepad.jcubic.pl jcubic.pl jquery.jcubic.pl mail.jcubic.pl medica.sklep.pl notes.jcubic.pl piwik.jcubic.pl proxy.jcubic.pl shell.jcubic.pl terminal.jcubic.pl
    Expiry Date: 2018-06-22 14:13:10+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/www.domektkaczki.pl/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.domektkaczki.pl/privkey.pem

And I just got another email with different set of domains/subdomains some of them are the same as the previous email.


You can see your issuance history at https://crt.sh/?Identity=%www.domektkaczki.pl&iCAID=16418

If you look at the notification e-mail, it should explain that the warning is sent from the CA if you didn’t renew the exact set of names as the original certificate, even if you have a newer certificate that covers more names, because the CA doesn’t know how the certificates are being used. This is probably the case here. If your newest certificate covers all of the names that you need it to, no action is required.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.