Indeed, I noticed that as well after posting the update.
I see something similar with the other domain I'm using -- 'byron.zeetix.com'.
The subject of the notification email is: 'Let's Encrypt certificate expiration notice for domain "byron.zeetix.com" (and 4 more)'. Here is the content:
Hello,
Your certificate (or certificates) for the names listed below will expire in 9 days (on 21 Nov 22 15:36 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
byron.zeetix.com
covid.tms.byron.zeetix.com
tms.byron.zeetix.com
wiki.byron.zeetix.com
zeewiki.byron.zeetix.com
For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.
If you are receiving this email in error, unsubscribe at:
http://delivery.letsencrypt.org/track/unsub.php?u=30850198&id=da00c39058704a239600449c554432b9.Mw%2FLJbhvRJIpbPt23sKkfecD2Ws%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dt%252A%252A%252A%252A%2540z%252A%252A%252A%252A.%252A%252A%252A
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.
Regards,
The Let's Encrypt Team
Here is the result of running 'certbot certificates' on 'byron.zeetix.com':
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: byron.zeetix.com
Serial Number: 40bf0e1388f3808f32699dc87365e5aeb3f
Key Type: RSA
Domains: byron.zeetix.com covid.tms.byron.zeetix.com fullstack.tms.byron.zeetix.com tms.byron.zeetix.com
Expiry Date: 2022-12-15 18:16:38+00:00 (VALID: 33 days)
Certificate Path: /etc/letsencrypt/live/byron.zeetix.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/byron.zeetix.com/privkey.pem
Certificate Name: insecure-test.byron.zeetix.com-0001
Serial Number: 3a0a8470524eda7a6cb8b29290ca91012a0
Key Type: RSA
Domains: insecure-test.byron.zeetix.com byron.zeetix.com
Expiry Date: 2023-01-25 11:16:38+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/insecure-test.byron.zeetix.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/insecure-test.byron.zeetix.com-0001/privkey.pem
Certificate Name: insecure-test.byron.zeetix.com
Serial Number: 3d84bdf3390cd01215a92173968b0598ff2
Key Type: RSA
Domains: insecure-test.byron.zeetix.com secure-test.byron.zeetix.com
Expiry Date: 2023-01-25 11:16:46+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/insecure-test.byron.zeetix.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/insecure-test.byron.zeetix.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The last two items in the above response are irrelevant to this thread.
Here are the domains, excerpted from the response:
byron.zeetix.com,
covid.tms.byron.zeetix.com,
fullstack.tms.byron.zeetix.com,
tms.byron.zeetix.com
It is true that I removed the following domains from this cert ()
wiki.byron.zeetix.com
zeewiki.byron.zeetix.com
The notification email includes this: "If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message."
Presumably that's what's going on here -- the current certificate for 'byron.zeetix.com' no longer covers 'wiki.byron.zeetix.com' and 'zeewiki.byron.zeetix.com'.
It does, however still cover the four domains answered by 'certbot certificates'.
I think I can ignore both of these. It appears to me that, in the fullness of time, the domains enumerated in a notification email might be narrowed slightly. I expect the two domains that I removed to expire. I expect the domains enumerated by 'certbot certificates' to continue to be renewed automatically.
Perhaps the text of the notification email might be changed to more accurately reflect what appears to be happening -- the certificate used by the enumerated domain names has been replaced by a new certificate that does not include those domain names.
The confusing part, for me, is the implication of the notification email that the certificate for "byron.zeetix.com" is expiring. The reality appears to be that the certificate for 'byron.zeetix.com' with the expiring domain names has been replaced by a newer certificate for 'byron.zeetix.com' that does not include some of the domain names.
The bottom line is that LetsEncrypt appears to be doing the right thing -- it appears that the notification emails confused me.