Wrong certificate expiration notification mail

interseb · July 15, 2019, 6:16pm

My domain is:
bleys.ambercity.net
webmail.ambercity.net

I receive email notification from the Expiry Bot saying that my certificates for the above domain will soon expire (on 23 Jul 19 09:24 +0000).

However, the certificate for those domains has been recently renewed (on the 23rd of June) and is still valid until the 21st of September.

Can you check what is wrong ? Am I wrong thinking that my certificate is still valid until September, or is there something wrong with the Expiry Bot ?

My web server is (include version):
Apache 2.4.10-10+deb8u14

The operating system my web server runs on is (include version):
Debian 8.11

My hosting provider, if applicable, is:
Self

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

JuergenAuer · July 15, 2019, 6:24pm

Hi @interseb

that's correct. Your last active certificates ( https://check-your-website.server-daten.de/?q=bleys.ambercity.net#ct-logs ):

Issuer	not before	not after	Domain names
Let's Encrypt Authority X3	2019-06-23	2019-09-21	bleys.ambercity.net, ical.ambercity.net, ical2.ambercity.net, noah.ambercity.net, sasha.ambercity.net, webmail.ambercity.net - 6 entries
Let's Encrypt Authority X3	2019-04-24	2019-07-23	bleys.ambercity.net, ical.ambercity.net, ical2.ambercity.net, noah.ambercity.net, sasha.ambercity.net, webmail.ambercity.net - 6 entries
Let's Encrypt Authority X3	2019-04-24	2019-07-23	bleys.ambercity.net, webmail.ambercity.net - 2 entries

The certificate with two domain names isn't renewed.

That's correct too. The certificate with 6 domain names is renewed. And you use that certificate:

CN=bleys.ambercity.net
	23.06.2019
	21.09.2019
expires in 68 days	bleys.ambercity.net, 
ical.ambercity.net, ical2.ambercity.net, 
noah.ambercity.net, sasha.ambercity.net, 
webmail.ambercity.net - 6 entries

Nothing is wrong. Letsencrypt doesn't know which certificate you use.

Please read

When You Get an Expiration Email

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

You have changed the set of domain names. The old set produces the mail.

interseb · July 15, 2019, 8:46pm

Thank you very much Juergen, this is clear.
I did not remember changing the set of names for the renewed certificate. I probably did so while migrating to certbot-auto, and completely forgot since then.
Thanks again for your prompt answer.

system · August 14, 2019, 8:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.