How do I verify my SSL expiration with Let'sEncrypt?
I set up SSL with Let’sEncrypt a while back, haven’t set up auto renewal quite yet. Got an email that says the certificate for synergyft.com will be expiring Oct 3. But I have an iPhone app called SSL CHECKER that says it is valid until Nov 21. Any idea why the discrepancy?
4 Replies
https://synergyft.com/ and https://www.synergyft.com/ are using a certificate that expires November 21, as your iPhone app says. It looks like nothing's wrong, and you can probably ignore this warning.
https://letsencrypt.org/docs/expiration-emails/
The Let's Encrypt warning system doesn't know which certificates you're using. It just knows about all certificates that exist. It considers a certificate renewed if a new certificate with the exact set of hostnames exists. If you do something like add or remove a subdomain, or delete a certificate, it will eventually warn you that the old one is expiring.
https://crt.sh/?q=synergyft.com (information currently up to September 9)
There are a number of certificates for different combinations of hostnames involving your domain. It looks like this certificate, for only the single name "synergyft.com", is expiring soon:
Your web server is using a different certificate. You probably replaced it long ago. If you deleted it and nothing is using it, you don't need to do anything about it.
When I check expiry dates for my 3 websites, I got some errors. Can anyone shed light on this?
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/synergyft.com-0001.conf prod uced an unexpected error: expected /etc/letsencrypt/live/synergyft.com-0001/cert .pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.synergyft.com.conf produ ced an unexpected error: expected /etc/letsencrypt/live/www.synergyft.com/cert.p em to be a symlink. Skipping.
Found the following certs:
Certificate Name: synergyft.com
Domains: flywithmark.net greatlakes.synergyft.com synergyft.com www.flywithm ark.net www.greatlakes.synergyft.com www.synergyft.com
Expiry Date: 2018-11-21 14:38:05+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/synergyft.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/synergyft.com/privkey.pem
Certificate Name: flywithmark.net
Domains: flywithmark.net www.flywithmark.net
Expiry Date: 2018-10-18 12:12:32+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/flywithmark.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/flywithmark.net/privkey.pem
Certificate Name: greatlakes.synergyft.com
Domains: greatlakes.synergyft.com www.greatlakes.synergyft.com
Expiry Date: 2018-10-18 12:09:33+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/greatlakes.synergyft.com/fullchain.p em
Private Key Path: /etc/letsencrypt/live/greatlakes.synergyft.com/privkey.pem
The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/synergyft.com-0001.conf
/etc/letsencrypt/renewal/www.synergyft.com.conf
Can you recall what's happened to Certbot's files? Did you delete or rename things, or copy or restore from a backup that might have transformed symlinks into copies of the target files?
You might have deleted two extra certificates, but missed some of the files?
Can you post "sudo ls -alR /etc/letsencrypt/{archive,live,renewal}"?
Are there any other issues with Certbot or your web server?
The second and third certificates are redundant with the first one, though that isn't really a problem. Your web server is currently using them, so you'd have to update its configuration if you want to delete them.
For future reference, you can delete certificates with e.g. "sudo certbot delete --cert-name flywithmark.net".