Why did I get a renewal notice email?

Issuance Tech
1

Yesterday I received an email saying my Let’s Encrypt certificate will expire on 10 April 2019. Quoting from the email:

Your certificate (or certificates) for the names listed below will expire in 10 days (on 10 Apr 19 07:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

campercaver.net
weather.campercaver.net
www.campercaver.net

However, when I run “certbot renew” on my server, I get this:

===========
[root@vmserver5 cron.daily]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/campercaver.net.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/campercaver.net/fullchain.pem expires on 2019-06-18 (skipped)
No renewals were attempted.

===========

Why am I getting a renewal notice if my certificate does not need renewal?? Why is there a difference between expiration dates?

The server is CentOS7 and Apache 2.4.6. Certbot is version 0.31.0. There is a cron job that runs certbot every day.

Thanks - Bill Gee

2

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Your newer certificate has an additional subdomain.

1 Like
3

Hi @bgeecaver

check CT-Log-Entries:

You have three active certificates:

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1307807759 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-20 05:21:49 2019-06-18 04:21:49 campercaver.net, pinapalooza.campercaver.net, weather.campercaver.net, www.campercaver.net
1122014445 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-01-18 10:38:06 2019-04-18 09:38:06 campercaver.net, pinapalooza.campercaver.net, weather.campercaver.net, www.campercaver.net
1097649901 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-01-10 06:19:28 2019-04-10 05:19:28 campercaver.net, weather.campercaver.net, www.campercaver.net

With two different sets of domain names.

So Letscencrypt doesn't know which certificate is used.

PS: Your configuration isn't complete.

Your non-www uses

CN=campercaver.net
	20.03.2019
	18.06.2019
expires in 78 days	campercaver.net, pinapalooza.campercaver.net, 
weather.campercaver.net, www.campercaver.net - 4 entries

there is the www-domain name included.

But your www uses a self signed expired certificate:

E=root@localhost, CN=localhost, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--
	08.07.2016
	08.07.2017
632 days expired

So update your vHost.

Best solution: Add the www as ServerAlias to your non-www-vHost.

And remove the www-vHost, there is an explicit vHost.

4

Ah, that explains it. Thanks! I did not realize that adding another domain would create a completely new certificate.

Bill Gee

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.