LetsEncrypt Expiry Bot

I got an email this morning from the LetsEncrypt Expiry Bot beginning:

Your certificate (or certificates) for the names listed below will expire in 10 days (on 14 Nov 21 15:27 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

However, if I dump the cert with:

openssl x509 -text -in /the/path/to/my/cert.pem

I see

            Not Before: Oct 16 10:26:58 2021 GMT
            Not After : Jan 14 10:26:57 2022 GMT

indicating the cert was renewed last month. Ditto for

openssl x509 -text -in /the/path/to/my/fullchain.pem

I see

            Not Before: Oct 16 10:26:58 2021 GMT
            Not After : Jan 14 10:26:57 2022 GMT

If I run

certbot renew

I get

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /the/path/to/letsencrypt/renewal/mydomain.com.conf

Certificate not yet due for renewal

The following certificates are not due for renewal yet:
/the/path/to/letsencrypt/live/mydomain.com/fullchain.pem expires on 2022-01-14 (skipped)
No renewals were attempted.

I'm pretty confident my cert got renewed on Oct 16. All the renewal/deployment hooks ran correctly on that date as well.

What's the scoop with the expiry 'bot?

Thanks in advance…

-- sw

2 Replies

If you run

certbot certificates

It should list the certs and expiration dates your system thinks it knows about. Maybe it's not the one you are looking at.

It's the same one…and there's only one…

stevewi@mydomain:~ $ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: niteflyte.net
Serial Number: <redacted>
Key Type: RSA
Domains: mydomain.com mail.mydomain.com www.mydomain.com
Expiry Date: 2022-01-14 10:26:57+00:00 (VALID: 70 days)
Certificate Path: /the/path/to/letsencrypt/live/mydomain.com/fullchain.pem
Private Key Path: /the/path/to/letsencrypt/live/mydomain.com/privkey.pem</redacted>

I may have modified the cert to add mail.mydomain.com and www.mydomain.com after initial issuance for mydomain.com. That would make the cert for

Domains: mydomain.com mail.mydomain.com www.mydomain.com

different from the cert for:

Domains: mydomain.com

I've read that this can trigger these 'bot notices.

-- sw


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct