Yesterday I received an email saying my Let’s Encrypt certificate will expire on 10 April 2019. Quoting from the email:
Your certificate (or certificates) for the names listed below will expire in 10 days (on 10 Apr 19 07:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
However, when I run “certbot renew” on my server, I get this:
===========
[root@vmserver5 cron.daily]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/campercaver.net.conf
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/campercaver.net/fullchain.pem expires on 2019-06-18 (skipped)
No renewals were attempted.
===========
Why am I getting a renewal notice if my certificate does not need renewal?? Why is there a difference between expiration dates?
The server is CentOS7 and Apache 2.4.6. Certbot is version 0.31.0. There is a cron job that runs certbot every day.
Thanks - Bill Gee
If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.
Your newer certificate has an additional subdomain.
Hi @bgeecaver
check CT-Log-Entries:
You have three active certificates:
| CRT-Id |
Issuer |
not before |
not after |
Domain names |
LE-Duplicate |
next LE |
| 1307807759 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-03-20 05:21:49 |
2019-06-18 04:21:49 |
campercaver.net, pinapalooza.campercaver.net, weather.campercaver.net, www.campercaver.net |
|
|
| 1122014445 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-01-18 10:38:06 |
2019-04-18 09:38:06 |
campercaver.net, pinapalooza.campercaver.net, weather.campercaver.net, www.campercaver.net |
|
|
| 1097649901 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-01-10 06:19:28 |
2019-04-10 05:19:28 |
campercaver.net, weather.campercaver.net, www.campercaver.net |
|
|
With two different sets of domain names.
So Letscencrypt doesn't know which certificate is used.
PS: Your configuration isn't complete.
Your non-www uses
CN=campercaver.net
20.03.2019
18.06.2019
expires in 78 days campercaver.net, pinapalooza.campercaver.net,
weather.campercaver.net, www.campercaver.net - 4 entries
there is the www-domain name included.
But your www uses a self signed expired certificate:
E=root@localhost, CN=localhost, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--
08.07.2016
08.07.2017
632 days expired
So update your vHost.
Best solution: Add the www as ServerAlias to your non-www-vHost.
And remove the www-vHost, there is an explicit vHost.
Ah, that explains it. Thanks! I did not realize that adding another domain would create a completely new certificate.
Bill Gee