I use LetsEncrypt so that I don't have to worry about renewing certificates. I continue to receive expiration notice emails. So far as I know, my connections to LetsEncrypt are working fine and my certificates are being automatically renewed as expected.
Are these notification emails spurious, or do I need to pay attention to them?
Here is the text of the email I just now received regarding 'covid.zeetix.com':
Hello, Your certificate (or certificates) for the names listed below will expire in 9 days (on 21 Nov 22 15:51 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors. We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details. covid.tms.micallef.zeetix.com micallef.zeetix.com tms.micallef.zeetix.com For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message. For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email. If you are receiving this email in error, unsubscribe at: http://delivery.letsencrypt.org/track/unsub.php?u=30850198&id=9d5fee7fd2f3471ead1eb422d8a8f3f3.Mw%2FLJbhvRJIpbPt23sKkfecD2Ws%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dt%252A%252A%252A%252A%2540z%252A%252A%252A%252A.%252A%252A%252A Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates. Regards, The Let's Encrypt Team
I invite the guidance of this community and appreciate your attention. Details of the configuration of one of my two sites follow.
Here is the content of '/etc/letsencrypt/renewal/covid.zeetix.com.conf':
# renew_before_expiry = 30 days version = 1.31.0 archive_dir = /etc/letsencrypt/archive/covid.zeetix.com cert = /etc/letsencrypt/live/covid.zeetix.com/cert.pem privkey = /etc/letsencrypt/live/covid.zeetix.com/privkey.pem chain = /etc/letsencrypt/live/covid.zeetix.com/chain.pem fullchain = /etc/letsencrypt/live/covid.zeetix.com/fullchain.pem # Options used in the renewal process [renewalparams] account = 9a4a1625821cf5d9346139f02aec1144 authenticator = apache installer = apache server = https://acme-v02.api.letsencrypt.org/directory key_type = rsa
Here is the content of today's log ('/var/log/letsencrypt/letsencrypt.log'):
2022-11-11 04:50:02,945:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97 2022-11-11 04:50:03,424:DEBUG:certbot._internal.main:certbot version: 1.32.0 2022-11-11 04:50:03,424:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2511/bin/certbot 2022-11-11 04:50:03,424:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal'] 2022-11-11 04:50:03,424:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2022-11-11 04:50:03,453:DEBUG:certbot._internal.log:Root logging level set at 40 2022-11-11 04:50:03,454:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/covid.zeetix.com.conf 2022-11-11 04:50:03,482:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7ffae8645940> and installer <certbot._internal.cli.cli_utils._Default object at 0x7ffae8645940> 2022-11-11 04:50:03,511:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80 2022-11-11 04:50:03,573:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503 2022-11-11 04:50:03,574:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/covid.zeetix.com/cert2.pem is signed by the certificate's issuer. 2022-11-11 04:50:03,575:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/covid.zeetix.com/cert2.pem is: OCSPCertStatus.GOOD 2022-11-11 04:50:03,578:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal 2022-11-11 04:50:03,579:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache 2022-11-11 04:50:03,583:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * apache Description: Apache Web Server plugin Interfaces: Installer, Authenticator, Plugin Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT Initialized: <certbot_apache._internal.override_fedora.FedoraConfigurator object at 0x7ffae863f880> 2022-11-11 04:50:03,584:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded 2022-11-11 04:50:03,584:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2022-11-11 04:50:03,584:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet: 2022-11-11 04:50:03,584:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/covid.zeetix.com/fullchain.pem expires on 2023-01-30 (skipped) 2022-11-11 04:50:03,584:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted. 2022-11-11 04:50:03,584:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2022-11-11 04:50:03,584:DEBUG:certbot._internal.renewal:no renewal failures
I see no indication of any auto-renewal issues here.
Standard form answers follow
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: (standard letsencrypt install)
It produced this output: (standard letsencrypt output)
My web server is (include version): Apache/2.4.37 (rocky)
The operating system my web server runs on is (include version): Rocky Linux 8.6 (Green Obsidian)
kernel: Linux 4.18.0-372.26.1.el8_6.x86_64
My hosting provider, if applicable, is: AWS EC2
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 1.32.0